search

certifi / python-certifi

(Python Distribution) A carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
Other
818 stars 247 forks source link

Equifax 2048 CA is not supported... #59

Closed odyhunter closed 7 years ago

odyhunter commented 7 years ago

Hi,

I noticed Equifax is not included in the current pem https://github.com/certifi/python-certifi/blob/master/certifi/cacert.pem

Thus following 2048bit CA failed. I know 1024bit CA is not supported...

Do you have any plan to include Equifax or there is any reason blocking you so?

Thanks!

[root@diskprovision ~]# openssl s_client -connect s3-api.us-geo.objectstorage.softlayer.net:443
CONNECTED(00000003)
depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify return:1
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = Texas, L = Dallas, O = "SoftLayer Technologies, Inc", OU = "SoftLayer Technologies, Inc.", CN = s3-api.us-geo.objectstorage.softlayer.net
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Texas/L=Dallas/O=SoftLayer Technologies, Inc/OU=SoftLayer Technologies, Inc./CN=s3-api.us-geo.objectstorage.softlayer.net
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHYjCCBkqgAwIBAgIQDauM974LirtPs29AIXCkwzANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTYwNzI5MDAwMDAwWhcNMTkwNzI5MjM1
OTU5WjCBrzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMQ8wDQYDVQQHDAZE
YWxsYXMxJDAiBgNVBAoMG1NvZnRMYXllciBUZWNobm9sb2dpZXMsIEluYzElMCMG
A1UECwwcU29mdExheWVyIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UEAwwpczMt
YXBpLnVzLWdlby5vYmplY3RzdG9yYWdlLnNvZnRsYXllci5uZXQwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDn0Rtwhnd337O9+DKekw5gyEL1S4r+kheu
me9DptUQWsBnlUO/S6gYYx/pL+Y7dFuxdjU4J7279ipE8HaCcxkV/QWCkck744P2
940/tOx/ag3Qtidyqjs1Yu1yTyi3GdWLwPjyV9Fxr6wrpMjHMhdQ6QMek+6vIYwz
jfepR0wtiLRD1e8zzbG/zTQ0MwZLC1uHG5xyhJkVIS0gBlomQ6xmFX4ZONgFSCQs
//Ko4EFFbF7kymVqkceUp06IVwCknPLqJdI1Casb+80jXinIe4A1oKhXINKggCIe
49HHj1xDFNDS0QPoFHBthx2vprJGP5lhuXLJdUC/Oh9j9cOItPTRAgMBAAGjggPi
MIID3jBhBgNVHREEWjBYgisqLnMzLWFwaS51cy1nZW8ub2JqZWN0c3RvcmFnZS5z
b2Z0bGF5ZXIubmV0gilzMy1hcGkudXMtZ2VvLm9iamVjdHN0b3JhZ2Uuc29mdGxh
eWVyLm5ldDAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDArBgNVHR8EJDAiMCCg
HqAchhpodHRwOi8vZ24uc3ltY2IuY29tL2duLmNybDCBnQYDVR0gBIGVMIGSMIGP
BgZngQwBAgIwgYQwPwYIKwYBBQUHAgEWM2h0dHBzOi8vd3d3Lmdlb3RydXN0LmNv
bS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDBBBggrBgEFBQcCAjA1DDNodHRw
czovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL3JlcG9zaXRvcnkvbGVnYWww
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFNJv95b0
hT9yPDB9I9qFeJujfFp8MFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0
cDovL2duLnN5bWNkLmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2duLnN5bWNiLmNv
bS9nbi5jcnQwggH2BgorBgEEAdZ5AgQCBIIB5gSCAeIB4AB3AN3rHSt6DU+mIIuB
rYFocH4ujp0B1VyIjT0RxM227L7MAAABVjjZoaMAAAQDAEgwRgIhAJMgKTgrfy3m
Zmnefzs53NWx1Af79ezBHkq60lohKaQ6AiEAr58BTZoj0/mkIJdJQJwldHHQLsON
o5twW2cqY1RQ4GoAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAA
AVY42aOoAAAEAwBHMEUCIQDad2Vlna5yQEn7fWXR9k9YkHQmBC+2CiaHZ0qrdlvI
WgIgAZdaaCLItL01+SFuxy0d6/dlYdwvzHS/KNJfsDI99j8AdgBo9pj4H2SCvjqM
7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAVY42aJDAAAEAwBHMEUCIQD8UEE5MLDo
ddFSq0ciREDDYrromvIaWtyqG/LkjijI9QIgC1V9EPEHHMNFzK4NcLRdLAYSz0/8
abLNMhl0xYPRKPUAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAA
AVY42aLVAAAEAwBGMEQCIE8G4Y9FEbRVLvO9yYcHjZXdjPl1NQh1YuzMs9qReHWy
AiA81FclVWPpLU2Nshthw23Q09elBPYMg63Q0ZM4UBLyfTANBgkqhkiG9w0BAQsF
AAOCAQEAa//p6Ll606KRgYUXUA6N5uSiDPr8SSHCCxLbW4YHC7mOLNAK/p1/za5L
luiRN3Yr0qKiibGaeEssfMBtDKHu9CZBxSobaers7RS92Ni7fkVCiaayRJrOL6o8
Xf8wFOcRPO0/owGFArfUFsnoqcoQE2hPrnRmaDTsePNUCc4LUZhdnvtPgJkEC7kl
Oa0yi8XzmEDHLgkprIf1rOJHBbh26Kf+zxT5obcHNZlib88KM1VDwk3vYZrXsw6d
TAjED21lMDayhpZsGDemxHzm86G1K4IZqzAf0+v68XkQmzPAASgDFsQzqokbL1JE
HHV6hTRZkKJ6La7Jco0JaM9ddCZxcQ==
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Dallas/O=SoftLayer Technologies, Inc/OU=SoftLayer Technologies, Inc./CN=s3-api.us-geo.objectstorage.softlayer.net
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4886 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-SHA
    Session-ID: 521B3BFC1C2820B07E058156D098ADC9BE9E8F72ABFBF88AEB097131A8F3D88D
    Session-ID-ctx: 
    Master-Key: 03190F1C7D46DAADC507A5183AB06DE2BAC5495CD44051321A3CF6A42C4716D62085B1DDF9D1E7B7BBA5D784AB557830
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1496393416
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
Lukasa commented 7 years ago

The Equifax CA is present in the "weak" bundle (call certifi.old_where()). It was removed because 1024-bit root certs have been deprecated and removed from all trust stores because they are unsafe.

The GeoTrust Global CA present in the cert chain, however, is present in certifi's trust bundle. That this wasn't used strongly suggests you're using an older OpenSSL (pre-1.0.2), which has a problem with building trust stores. I strongly recommend you upgrade to a newer OpenSSL. If you are unable, you should use certifi.old_where() instead.

Closing as a duplicate of #26.