crypto/x509: root_cgo_darwin and root_nocgo_darwin omit some system certs

[jdhenke]

Please answer these questions before submitting your issue. Thanks!

What did you do?

$ cat main.go

package main

import (
    "crypto/x509"
    "fmt"
    "log"
)

func main() {
    certs, err := x509.SystemCertPool()
    if err != nil {
        log.Fatal(err)
    }
    fmt.Printf("Num System Certs: %d\n", len(certs.Subjects()))
}

$ CGO_ENABLED=0 go run main.go
Num System Certs: 188
$ CGO_ENABLED=1 go run main.go
Num System Certs: 168

What did you expect to see?

I expected to see the same number of certificates regardless of whether I used cgo.

What did you see instead?

The implementation using CGO resulted in fewer system certificates, which causes problems for our tooling that relies on one of those missing certificates to be in the SystemCertPool.

System details

go version go1.10.1 darwin/amd64
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/jhenke/Library/Caches/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOOS="darwin"
GOPATH="/Users/jhenke"
GORACE=""
GOROOT="/usr/local/go"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/_b/gz_w_nfj0_33f5y3s_0pg8xs080pym/T/go-build925272903=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.10.1 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.10.1
uname -v: Darwin Kernel Version 16.7.0: Mon Nov 13 21:56:25 PST 2017; root:xnu-3789.72.11~1/RELEASE_X86_64
ProductName:    Mac OS X
ProductVersion: 10.12.6
BuildVersion:   16G1114
lldb --version: lldb-900.0.64
  Swift-4.0

[adamdecaf]

Could you tell us more about the certificates not found in the cgo path? Are they set with specific trust policies? Could you paste a certificate that isn't found, but should be?

[nmiyake]

Do you know of a way to print/examine the trust policies of a certificate? After some experimentation, we have found that the certificates that aren't showing up seem to say "This certificate has custom trust settings" in the Keychain UI. However, expanding the "Trust" section doesn't reveal any specifics:

I'm not sure how the certificate was added/got to this state. It seems that if we manually update the state to "Always Trust" in the Keychain UI, then the certificate is returned. However, we'd like to understand this further, since most apps seem to trust the certificate even with these "Custom" trust settings but Go with CGo does not, which is causing issues for us.

*To clarify, I suspect that the issue has to do with the trust settings marked for the certificate rather than with the certificate itself

[bcmills]

(CC: @FiloSottile)

[adamdecaf]

@jdhenke @nmiyake I've had to add the certificates into either the login keychain or /Library/Keychains/System.keychain. Doing this with the security tool looks like:

# One of these two should work
$ security add-trusted-cert -p ssl -k ~/Library/Keychains/login.keychain cert.pem
$ security add-trusted-cert -p ssl -k /Library/Keychains/System.keychain cert.pem

How are you adding the certs?

The Keychain UI is pretty much the easiest way to view trust, but it's not always clear. I've been working on better ways to parse the security tool output.

You can inspect the certs with the tool by running something like, which is what non-cgo Go does:

security find-certificate -c <name> -a ~/Library/Keychains/login.keychain /Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain 

I've talked about the inverse of this problem (explicit distrust of certificates) at https://github.com/golang/go/issues/24084, which has the same confusion/problem.

[nmiyake]

Unfortunately, I'm not sure about the provenance of how the cert was added. However, I do suspect that how it was added/how it was upgraded from a previous add is at the root of the issue here.

I have a certificate in my System store called "MSCA-ROOT-01-CA". I'm not sure how it was added, but the screenshot earlier in the issue shows that it displays as "This certificate has custom trust settings", although the UI shows "Always Trust" for all the parts.

I added some debugging code to root_cgo_darwin.go (edits at the end of this post), and the resulting output for this cert is:

Processing cert: MSCA-ROOT-01-CA
getting domain 1 for trust settings
using domain 1 for trust settings
getting domain 2 for trust settings
trustSettings is not NULL
len of trustSettings: 0
done. untrusted: 0, trustAsRoot: 0, trustRoot: 0

Based my reading of the code, this certificate is in the "Admin" domain and has a non-NULL but empty trust setting. Because the trust setting is empty and it isn't a system cert, it decides not to trust it.

This logically makes sense to me, but I guess the resulting behavior isn't consistent with other applications (other applications seem willing to use this certificate for verification).

Modified FetchPEMRoots in crypto/x509/root_cgo_darwin.go:

int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
    if (useOldCode()) {
        return FetchPEMRoots_MountainLion(pemRoots);
    }

    // Get certificates from all domains, not just System, this lets
    // the user add CAs to their "login" keychain, and Admins to add
    // to the "System" keychain
    SecTrustSettingsDomain domains[] = { kSecTrustSettingsDomainSystem,
                         kSecTrustSettingsDomainAdmin,
                         kSecTrustSettingsDomainUser };

    int numDomains = sizeof(domains)/sizeof(SecTrustSettingsDomain);
    if (pemRoots == NULL) {
        return -1;
    }
    printf("numDomains: %d\n", numDomains);

    // kSecTrustSettingsResult is defined as CFSTR("kSecTrustSettingsResult"),
    // but the Go linker's internal linking mode can't handle CFSTR relocations.
    // Create our own dynamic string instead and release it below.
    CFStringRef policy = CFStringCreateWithCString(NULL, "kSecTrustSettingsResult", kCFStringEncodingUTF8);

    CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
    CFMutableDataRef combinedUntrustedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
    for (int i = 0; i < numDomains; i++) {
        CFArrayRef certs = NULL;
        OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs);
        if (err != noErr) {
            continue;
        }

        CFIndex numCerts = CFArrayGetCount(certs);
        for (int j = 0; j < numCerts; j++) {
            CFDataRef data = NULL;
            CFErrorRef errRef = NULL;
            CFArrayRef trustSettings = NULL;
            SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j);
            if (cert == NULL) {
                continue;
            }
            // We only want trusted certs.
            int untrusted = 0;
            int trustAsRoot = 0;
            int trustRoot = 0;
            if (i == 0) {
                trustAsRoot = 1;
            } else {
                CFStringRef commonNameRef = NULL;
                SecCertificateCopyCommonName(cert, &commonNameRef);
                printf("Processing cert: %s\n",  CFStringGetCStringPtr(commonNameRef, kCFStringEncodingMacRoman));

                // Certs found in the system domain are always trusted. If the user
                // configures "Never Trust" on such a cert, it will also be found in the
                // admin or user domain, causing it to be added to untrustedPemRoots. The
                // Go code will then clean this up.

                // Trust may be stored in any of the domains. According to Apple's
                // SecTrustServer.c, "user trust settings overrule admin trust settings",
                // so take the last trust settings array we find.
                // Skip the system domain since it is always trusted.
                for (int k = i; k < numDomains; k++) {
                    printf("getting domain %d for trust settings\n", k);
                    CFArrayRef domainTrustSettings = NULL;
                    err = SecTrustSettingsCopyTrustSettings(cert, domains[k], &domainTrustSettings);
                    if (err == errSecSuccess && domainTrustSettings != NULL) {
                        if (trustSettings) {
                            CFRelease(trustSettings);
                        }
                        printf("using domain %d for trust settings\n", k);
                        trustSettings = domainTrustSettings;
                    }
                }
                if (trustSettings == NULL) {
                    printf("this certificate must be verified to a known trusted certificate\n");
                    // "this certificate must be verified to a known trusted certificate"; aka not a root.
                    continue;
                }
                printf("trustSettings is not NULL\n");
                printf("len of trustSettings: %d\n", CFArrayGetCount(trustSettings));
                for (CFIndex k = 0; k < CFArrayGetCount(trustSettings); k++) {
                    CFNumberRef cfNum;
                    CFDictionaryRef tSetting = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, k);
                    if (CFDictionaryGetValueIfPresent(tSetting, policy, (const void**)&cfNum)){
                        SInt32 result = 0;
                        CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result);
                        printf("resultNum: %d at index k=%d\n", result, k);
                        // TODO: The rest of the dictionary specifies conditions for evaluation.
                        if (result == kSecTrustSettingsResultDeny) {
                            untrusted = 1;
                        } else if (result == kSecTrustSettingsResultTrustAsRoot) {
                            trustAsRoot = 1;
                        } else if (result == kSecTrustSettingsResultTrustRoot) {
                            trustRoot = 1;
                        }
                    }
                }
                printf("done. untrusted: %d, trustAsRoot: %d, trustRoot: %d\n", untrusted, trustAsRoot, trustRoot);
                CFRelease(trustSettings);
            }

            if (trustRoot) {
                // We only want to add Root CAs, so make sure Subject and Issuer Name match
                CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef);
                if (errRef != NULL) {
                    CFRelease(errRef);
                    continue;
                }
                CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, &errRef);
                if (errRef != NULL) {
                    CFRelease(subjectName);
                    CFRelease(errRef);
                    continue;
                }
                Boolean equal = CFEqual(subjectName, issuerName);
                CFRelease(subjectName);
                CFRelease(issuerName);
                if (!equal) {
                    continue;
                }
            }

            // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
            // Once we support weak imports via cgo we should prefer that, and fall back to this
            // for older systems.
            err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
            if (err != noErr) {
                continue;
            }

            if (data != NULL) {
                if (!trustRoot && !trustAsRoot) {
                    untrusted = 1;
                }
                CFMutableDataRef appendTo = untrusted ? combinedUntrustedData : combinedData;
                CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data));
                CFRelease(data);
            }
        }
        CFRelease(certs);
    }
    CFRelease(policy);
    *pemRoots = combinedData;
    *untrustedPemRoots = combinedUntrustedData;
    return 0;
}

[adamdecaf]

@nmiyake Could you rebase that change off the latest commit on master? There's another change which mixes up the diff a bit.

I'm not sure if trusting a certificate without any policies from the user/admin domain would cause problems. If an attacker is modifying your trust policies they can already install a root CA.

There is a kSecTrustSettingsResultDeny policy I'd expect to be set (to explicitly distrust), but I don't know how widespread that's used. Keychain does use that.

[nmiyake]

Sure. Here's the modified code on master:

int FetchPEMRoots(CFDataRef *pemRoots, CFDataRef *untrustedPemRoots) {
    int i;

    if (useOldCode()) {
        return FetchPEMRoots_MountainLion(pemRoots);
    }

    // Get certificates from all domains, not just System, this lets
    // the user add CAs to their "login" keychain, and Admins to add
    // to the "System" keychain
    SecTrustSettingsDomain domains[] = { kSecTrustSettingsDomainSystem,
                         kSecTrustSettingsDomainAdmin,
                         kSecTrustSettingsDomainUser };

    int numDomains = sizeof(domains)/sizeof(SecTrustSettingsDomain);
    if (pemRoots == NULL) {
        return -1;
    }
    printf("numDomains: %d\n", numDomains);

    // kSecTrustSettingsResult is defined as CFSTR("kSecTrustSettingsResult"),
    // but the Go linker's internal linking mode can't handle CFSTR relocations.
    // Create our own dynamic string instead and release it below.
    CFStringRef policy = CFStringCreateWithCString(NULL, "kSecTrustSettingsResult", kCFStringEncodingUTF8);

    CFMutableDataRef combinedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
    CFMutableDataRef combinedUntrustedData = CFDataCreateMutable(kCFAllocatorDefault, 0);
    for (i = 0; i < numDomains; i++) {
        int j;
        CFArrayRef certs = NULL;
        OSStatus err = SecTrustSettingsCopyCertificates(domains[i], &certs);
        if (err != noErr) {
            continue;
        }

        CFIndex numCerts = CFArrayGetCount(certs);
        for (j = 0; j < numCerts; j++) {
            CFDataRef data = NULL;
            CFErrorRef errRef = NULL;
            CFArrayRef trustSettings = NULL;
            SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, j);
            if (cert == NULL) {
                continue;
            }
            // We only want trusted certs.
            int untrusted = 0;
            int trustAsRoot = 0;
            int trustRoot = 0;
            if (i == 0) {
                trustAsRoot = 1;
            } else {
                CFStringRef commonNameRef = NULL;
                SecCertificateCopyCommonName(cert, &commonNameRef);
                printf("Processing cert: %s\n",  CFStringGetCStringPtr(commonNameRef, kCFStringEncodingMacRoman));

                int k;
                CFIndex m;

                // Certs found in the system domain are always trusted. If the user
                // configures "Never Trust" on such a cert, it will also be found in the
                // admin or user domain, causing it to be added to untrustedPemRoots. The
                // Go code will then clean this up.

                // Trust may be stored in any of the domains. According to Apple's
                // SecTrustServer.c, "user trust settings overrule admin trust settings",
                // so take the last trust settings array we find.
                // Skip the system domain since it is always trusted.
                for (k = i; k < numDomains; k++) {
                    printf("getting domain %d for trust settings\n", k);
                    CFArrayRef domainTrustSettings = NULL;
                    err = SecTrustSettingsCopyTrustSettings(cert, domains[k], &domainTrustSettings);
                    if (err == errSecSuccess && domainTrustSettings != NULL) {
                        if (trustSettings) {
                            CFRelease(trustSettings);
                        }
                        printf("using domain %d for trust settings\n", k);
                        trustSettings = domainTrustSettings;
                    }
                }
                if (trustSettings == NULL) {
                    // "this certificate must be verified to a known trusted certificate"; aka not a root.
                    printf("this certificate must be verified to a known trusted certificate\n");
                    continue;
                }
                printf("trustSettings is not NULL\n");
                printf("len of trustSettings: %d\n", CFArrayGetCount(trustSettings));
                for (m = 0; m < CFArrayGetCount(trustSettings); m++) {
                    CFNumberRef cfNum;
                    CFDictionaryRef tSetting = (CFDictionaryRef)CFArrayGetValueAtIndex(trustSettings, m);
                    if (CFDictionaryGetValueIfPresent(tSetting, policy, (const void**)&cfNum)){
                        SInt32 result = 0;
                        CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result);
                        printf("resultNum: %d at index k=%d\n", result, k);
                        // TODO: The rest of the dictionary specifies conditions for evaluation.
                        if (result == kSecTrustSettingsResultDeny) {
                            untrusted = 1;
                        } else if (result == kSecTrustSettingsResultTrustAsRoot) {
                            trustAsRoot = 1;
                        } else if (result == kSecTrustSettingsResultTrustRoot) {
                            trustRoot = 1;
                        }
                    }
                }
                printf("done. untrusted: %d, trustAsRoot: %d, trustRoot: %d\n", untrusted, trustAsRoot, trustRoot);
                CFRelease(trustSettings);
            }

            if (trustRoot) {
                // We only want to add Root CAs, so make sure Subject and Issuer Name match
                CFDataRef subjectName = SecCertificateCopyNormalizedSubjectContent(cert, &errRef);
                if (errRef != NULL) {
                    CFRelease(errRef);
                    continue;
                }
                CFDataRef issuerName = SecCertificateCopyNormalizedIssuerContent(cert, &errRef);
                if (errRef != NULL) {
                    CFRelease(subjectName);
                    CFRelease(errRef);
                    continue;
                }
                Boolean equal = CFEqual(subjectName, issuerName);
                CFRelease(subjectName);
                CFRelease(issuerName);
                if (!equal) {
                    continue;
                }
            }

            // Note: SecKeychainItemExport is deprecated as of 10.7 in favor of SecItemExport.
            // Once we support weak imports via cgo we should prefer that, and fall back to this
            // for older systems.
            err = SecKeychainItemExport(cert, kSecFormatX509Cert, kSecItemPemArmour, NULL, &data);
            if (err != noErr) {
                continue;
            }

            if (data != NULL) {
                if (!trustRoot && !trustAsRoot) {
                    untrusted = 1;
                }
                CFMutableDataRef appendTo = untrusted ? combinedUntrustedData : combinedData;
                CFDataAppendBytes(appendTo, CFDataGetBytePtr(data), CFDataGetLength(data));
                CFRelease(data);
            }
        }
        CFRelease(certs);
    }
    CFRelease(policy);
    *pemRoots = combinedData;
    *untrustedPemRoots = combinedUntrustedData;
    return 0;
}

Output was the same:

Processing cert: MSCA-ROOT-01-CA
getting domain 1 for trust settings
using domain 1 for trust settings
getting domain 2 for trust settings
trustSettings is not NULL
len of trustSettings: 0
done. untrusted: 0, trustAsRoot: 0, trustRoot: 0

From what I can tell, I have 3 certificates in my keychain that fit this criteria.

Adding this logic fixes the specific issue that we're seeing:

if (CFArrayGetCount(trustSettings) == 0) {
    trustAsRoot = 1;
}

(if this were to be done, I would presume it should probably be done for the case where trustSettings == NULL as well for consistency)

Interestingly, this doesn't fully resolve the diff for the number of certificates between CGO_ENABLED=0 and 1. My breakdown is:

• master, CGO_ENABLED=1: 172 certificates
• Trust certs with trustSettings ==0, CGO_ENABLED=1: 175 certificates
• master, CGO_ENABLED=0: 196 certificates

[adamdecaf]

@nmiyake Cool. If you want to submit that if (CFArrayGetCount(trustSettings) == 0) { change we can get it reviewed.

There's probably something up with the trust policies on those remaining certificates. Can you run the following?

$ security trust-settings-export user-trust.plist
$ security trust-settings-export -d admin-trust.plist

This dumps plist (xml) files of your certificate trust. The best way to find a specific cert is by the sha1 hash. It's the <key>...</key> in the following snippet.

Can you find a certificate that's added into a keychain, but isn't showing up in Go? I'm curious what <key>trustSettings</key> is saying.

The values there are mapped to SecTrustSettingsResult.

                <key>0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43</key>
                <dict>
                        <key>issuerName</key>
                        <data>
                        MGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMx
                        GTAXBgNVBAsTEHd3dy5kaWdpY2VydC5jb20xJDAiBgNVBAMTG0Rp
                        Z2lDZXJ0IEFzc3VyZWQgSUQgUm9vdCBDQQ==
                        </data>
                        <key>modDate</key>
                        <date>2018-02-24T19:37:04Z</date>
                        <key>serialNumber</key>
                        <data>
                        DOfg5RfYRv6P5WD8G/AwOQ==
                        </data>
                        <key>trustSettings</key>
                        <array>
                                <dict>
                                        <key>kSecTrustSettingsResult</key>
                                        <integer>4</integer>
                                </dict>
                        </array>
                </dict>

I'm building a quick tool to help debug these files. You can run it over the exported plist files and get something that's a bit easier to parse. https://github.com/adamdecaf/plist-parser

hash=0563B863 issuer="CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US" trustSettings=map[string]string{"kSecTrustSettingsResult":"4"}

[nmiyake]

OK, performed more digging and diagnostics.

Here's the overview of my state with the current Go:

No CGo certs: 176
CGo certs: 161

0 CGo only, 15 non-CGo only, 161 common

After running with my modification proposed above, I get:

No CGo certs: 176
CGo certs: 164

1 CGo only, 13 non-CGo only, 163 common

I ran your parsing tool on my output, and indeed for some reason there are 3 certificates that explicitly have an empty trust settings set (only showing one here):

hash=00C337EA issuer="CN=MSCA-ROOT-01-CA" trustSettings=map[string]string{}

I'm not sure how this entry was created for me, but that's clearly the issue. Two of these certificates are valid and are added, and thus increment the "common" count by 2. One of these certificates is expired. This one appears only in the CGo code, which accounts for the "1 CGo only".

Here are some of the certificates that show up only for non-CGo (out of the 13):

        Apple Worldwide Developer Relations Certification Authority
        Developer ID Certification Authority
        DigiCert Assured ID CA-1
        DigiCert SHA2 Assured ID CA
        DigiCert SHA2 High Assurance Server CA

2 of these have an entry in my user-trust.plist with trustSettings=map[string]string{"kSecTrustSettingsResult":"-2147409654"}:

hash=20744DE6 issuer="CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US" trustSettings=map[string]string{"kSecTrustSettingsResult":"-2147409654"}

None of the other entries show up in my plist. In the keychain, these show up as "no value specified" for trust:

The one curious thing is the extra certificate that shows up for CGo only after the local modification. That certificate is an old CA certificate I have that is expired:

It's showing up because before the modification it was in my admin-trust.plist with map[string]string{} as the trustSettings, so the change now includes it. I'm guessing the non-CGo code automatically prunes it based on expiration.

I don't think this should be an issue since even if the cert is added as a root cert, any code that does validation should properly check the expiration status.

[gopherbot]

Change https://golang.org/cl/104735 mentions this issue: crypto/x509: add certs with empty trust settings for cgo_darwin

[adamdecaf]

@nmiyake Cool on that CL. You'll probably want to assign @FiloSottile as a reviewer.

As far as the certificates with "kSecTrustSettingsResult":"-2147409654". I think this is why they're not marked as trusted. -2147409654 is not a valid value. The relevant Go code only checks a couple of the values (see SecTrustSettingsResult).

if (CFDictionaryGetValueIfPresent(tSetting, policy, (const void**)&cfNum)){
    SInt32 result = 0;
    CFNumberGetValue(cfNum, kCFNumberSInt32Type, &result);
    printf("resultNum: %d at index k=%d\n", result, k);
    // TODO: The rest of the dictionary specifies conditions for evaluation.
    if (result == kSecTrustSettingsResultDeny) {
        untrusted = 1;
    } else if (result == kSecTrustSettingsResultTrustAsRoot) {
        trustAsRoot = 1;
    } else if (result == kSecTrustSettingsResultTrustRoot) {
        trustRoot = 1;
    }
}

Are your trust settings managed by an enterprise or tool by chance? It looks like some tool generated partially invalid policy settings.

I've had to work around this and seen it before. Here's an example plist I've seen in the wild. (Note: it's the same -2147409654 value)

                <dict>
                    <key>kSecTrustSettingsAllowedError</key>
                    <integer>-2147409654</integer>
                    <key>kSecTrustSettingsPolicy</key>
                    <data>
                    KoZIhvdjZAEC
                    </data>
                    <key>kSecTrustSettingsPolicyName</key>
                    <string>basicX509</string>
                    <key>kSecTrustSettingsResult</key>
                    <integer>3</integer>
                </dict>

On those 13-2 certificates I wonder again if the plist/trust policies were generated properly. Just search for DigiCert SHA2 High Assurance Server CA gives a different cert fingerprint than what your policy has. See: https://crt.sh/?id=2900424 (SHA1 prefix A031C467) https://crt.sh/?id=2900424.

Can you find any of those certificates on crt.sh? https://crt.sh/?a=1

[nmiyake]

Yes, this behavior is on a machine that's managed by a company and uses tools to do so -- something along the way there writing an invalid policy entry is definitely a possibility.

I guess the difference in observed behavior is that most macOS applications (or Apple's cert API itself?) are more lenient on their verification here? Even though strict validation may technically be correct, if it results in an observable difference in behavior between native macOS apps and Go apps with CGo enabled that stills seems like it could be an issue (and I don't really have any good way of knowing how common or uncommon this scenario may be more broadly).

[adamdecaf]

I guess the difference in observed behavior is that most macOS applications (or Apple's cert API itself?) are more lenient on their verification here?

I don't think we've determined that quite yet. Are any of those 13-2 certs not CA's?

I'm reading through the code paths and noticing only the cgo path checks the certificate is a Root CA (by checking Issuer == Subject).

Edit: Yep. I verified a non-ca certificate would show up in a non-cgo call to x509.SystemCertPool().

[nmiyake]

Sorry you're right -- the only place where I know that to be true is for the trustSettings being an empty map (one of those certificates was a CA that was verifying all connections, but wasn't picked up by CGo before the proposed change).

Yes, I think that theory makes sense -- as shows in the UI for the certificates (the last screenshot), all of those certificates seem to be intermediate CAs.

If that's the case, I should probably update my PR to set trustRoot=1 (rather than trustAsRoot=1) so that the post-filtering step still happens -- I think that should eliminate that case of the one extra certificate being present only in CGo after the change (will verify locally now)

Edit: it didn't fix the issue I was seeing because that cert was a root cert (but just expired). However, functionally I think the change is correct, so updated PR.

[adamdecaf]

Yes, I think that theory makes sense -- as shows in the UI for the certificates (the last screenshot), all of those certificates seem to be intermediate CAs.

Good. I think we've tracked down the issues. This shows a difference in cgo and non-cgo paths in that cgo only captures the Subject == Issuer certificates.

Are you seeing any connection errors from being unable to build a chain? (From these 11 intermediates not being captured?)

Looking at the Unix implementation we aren't checking Subject == Issuer or .IsCA. Perhaps we need to decide if SystemCertPool() should return these intermediate certificates?

[adamdecaf]

@nmiyake Looking through the old CL's I found https://go-review.googlesource.com/c/go/+/64851 (from https://github.com/golang/go/issues/16532).

[nmiyake]

Ah interesting -- so that approach does use trustAsRoot for the certificates with empty entries (rather than `trustRoot), so it does add intermediate certs, which this one doesn't after my last update.

The only added certificate that I regularly use with Go is a custom root certificate, so I would not be impacted by this either way. I don't have a strong opinion on whether or not intermediates should be considered as root -- however, I do think it would be nice for this behavior to be consistent (at a minimum between CGo and non-CGo on Darwin, and in an ideal world across all platforms).

If there's a particular test you want me to run around validation with intermediate certs, if you outline it I can give it a stab and update with results.

[adamdecaf]

cc @FiloSottile Do you have thoughts on SystemCertPool() returning intermediate certificates?

[nmiyake]

What's the process to get more eyes on this? Whether it's via my PR or another mechanism, it would be nice to determine a path forward as there are many people on our team who seem to be encountering this issue

[dlamotte]

I might have opened a dupe here #25649. Was having a hard time following this issue thread.

[adamdecaf]

@dlamotte There were a few issues we had to track down in this thread. https://github.com/golang/go/issues/25649 does look like a duplicate as you also expected the cert to be added to the x509.CertPool.

[FiloSottile]

There are multiple issues with our macOS root discovery.

The cgo path is unaware of defaults, documented at https://developer.apple.com/documentation/security/1400261-sectrustsettingscopytrustsetting, so it will omit the following certificate.

Cert 1: mkcert development CA
   Number of trust settings : 0

CL 104735 is an incomplete fix, because if trustSettings are present but don't have a kSecTrustSettingsResult value, it defaults to trustRoot. So it will omit the following certificate.

Cert 1: mkcert development CA
   Number of trust settings : 1
   Trust Setting 0:
      Policy OID            : SSL

The nocgo path, on the other hand, asks security verify-cert to use the default verification policy, basic, so it will omit the following certificate.

Cert 1: mkcert development CA
   Number of trust settings : 1
   Trust Setting 0:
      Policy OID            : SSL
      Result Type           : kSecTrustSettingsResultTrustRoot

Finally, the cgo path is checking if any policy (ssl or any other explicitly set) has a kSecTrustSettingsResult value (ignoring the defaults, see above), with the last one in the array winning, omitting the following certificate (!!).

Cert 1: mkcert development CA
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : Code Signing
      Result Type           : kSecTrustSettingsResultDeny

And I didn't even get into allowed errors.

It's fairly late in the freeze, but I'm inclined to fix these, and maybe even backport them, because ignoring the policy types can lead to inclusion of roots that are not supposed to be trusted for TLS, and although crypto/x509 is not TLS-specific, it is meant to serve the WebPKI. @agl agree?

@gopherbot please open the backport tracking issues.

[gopherbot]

Backport issue(s) opened: #26039 (for 1.10), #26040 (for 1.9).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://golang.org/wiki/MinorReleases.

[adamdecaf]

@FiloSottile Are you working on any parts of this? I can offer some CL's to improve the situation here.

[FiloSottile]

@adamdecaf I haven't started writing fixes yet. I'd be happy to review instead if you think you can make them by this week. Thanks!

[gopherbot]

Change https://golang.org/cl/121355 mentions this issue: crypto/x509: check darwin keychain policy in cgo path

[adamdecaf]

The nocgo path, on the other hand, asks security verify-cert to use the default verification policy, basic

I brought this up in https://github.com/golang/go/issues/24084 (that issue is a bit messy) are you saying we should be using security verify-cert -p ssl?

[FiloSottile]

Yeah, as a stop-gap in 1.11 let's switch to security verify-cert -p ssl (and fix the cgo path).

[gopherbot]

Change https://golang.org/cl/121675 mentions this issue: crypto/x509: collect keychain certs without explicit usage constraints

[adamdecaf]

@FiloSottile I submitted CL's for the following:

• [cgo] No kSecTrustSettingsResult: https://go-review.googlesource.com/c/go/+/121675
• [cgo] Only collect certs with web pki keychain policies: https://go-review.googlesource.com/c/go/+/121355
• [non-cgo] call verify-cert with -p ssl: https://go-review.googlesource.com/c/go/+/121356

[gopherbot]

Change https://golang.org/cl/125259 mentions this issue: crypto/x509: skip TestSystemRoots

[gopherbot]

Change https://golang.org/cl/128056 mentions this issue: crypto/x509: fix root CA extraction on macOS (cgo path)

[gopherbot]

Change https://golang.org/cl/128116 mentions this issue: crypto/x509: fix root CA extraction on macOS (no-cgo path)

[gopherbot]

Change https://golang.org/cl/128117 mentions this issue: crypto/x509: re-enable TestSystemRoots

[FiloSottile]

This is a hard change to get right, with plenty of edge-cases that will manifest on different systems, so I'm going to ask people to crowdsource testing.

If you have a Mac, please run the following command. It's a packaged version of TestSystemRoots.

go get golang.org/x/exp/cmd/macos-roots-test
"$(go env GOPATH)/bin/macos-roots-test"

If the test passes please just add a :+1: reaction to this comment. (Unless maybe the "non-cgo sys roots" timing is something unacceptable, like 1s+.)

If the test fails, please copy the whole output in a comment here. Do check that there's nothing you consider sensitive in it (it only lists names of certificates in your keychain, which might however include names of S/MIME senders) and if you'd prefer to report privately email filippo at golang.org.

Thank you for helping make 1.11 more reliable!

[dadrian]

crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: dlv-cert returned 1
crypto/x509: X Proto CA returned 1
crypto/x509: radius.umnet.umich.edu returned 4
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=X Proto CA,OU=0x21,O=University of Michigan,L=Ann Arbor,ST=Michigan,C=US
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=dlv-cert: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
crypto/x509: verify-cert approved CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
crypto/x509: verify-cert approved CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
crypto/x509: verify-cert rejected CN=MITLL Root CA,OU=PKI,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=radius.umnet.umich.edu,OU=Information Technology Services,O=University of Michigan,POSTALCODE=48105-3640,L=Ann Arbor,ST=MI,C=US
crypto/x509: verify-cert approved CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert rejected CN=MITLL CA-3,OU=PKI,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=DigiCert SHA2 Assured ID CA,OU=www.digicert.com,O=DigiCert Inc,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=BlackBerry Enterprise RSA Root CA 1,OU=BlackBerry Enterprise PKI,O=BlackBerry Limited,C=CA: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=BlackBerry Corporate Policy CA 1,OU=BlackBerry Enterprise PKI,O=BlackBerry Limited,C=CA: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Blumenthal.Uri.50010584,OU=People,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Blumenthal.Uri.50010584,OU=People,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Dan Brown,OU=AMER+OU=CA+OU=Mississauga+OU=Users: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
crypto/x509: verify-cert approved CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
crypto/x509: verify-cert approved CN=crossproto.local,C=US
crypto/x509: verify-cert rejected CN=BlackBerry Corporate Issuing CA 1: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
crypto/x509: verify-cert approved CN=radius.umnet.umich.edu,OU=Information Technology Services,O=University of Michigan,POSTALCODE=48105-3640,L=Ann Arbor,ST=MI,C=US
crypto/x509: verify-cert approved CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
crypto/x509: verify-cert rejected CN=Blumenthal.Uri.50010584,OU=People,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=MITLL Root CA,OU=PKI,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=MITLL CA-3,OU=PKI,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Blumenthal.Uri.50010584,OU=People,O=MIT Lincoln Laboratory,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert rejected CN=DigiCert SHA2 Assured ID CA,OU=www.digicert.com,O=DigiCert Inc,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=BlackBerry Enterprise RSA Root CA 1,OU=BlackBerry Enterprise PKI,O=BlackBerry Limited,C=CA: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Dan Brown,OU=AMER+OU=CA+OU=Mississauga+OU=Users: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=BlackBerry Corporate Policy CA 1,OU=BlackBerry Enterprise PKI,O=BlackBerry Limited,C=CA: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=crossproto.local,C=US
crypto/x509: verify-cert rejected CN=BlackBerry Corporate Issuing CA 1: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: ran security verify-cert 37 times
    cgo sys roots: 133.823855ms
non-cgo sys roots: 797.005592ms
signed certificate only present in non-cgo pool (acceptable): CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=InCommon RSA Server CA,OU=InCommon,O=Internet2,L=Ann Arbor,ST=MI,C=US
signed certificate only present in non-cgo pool (acceptable): CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US
signed certificate only present in non-cgo pool (acceptable): CN=radius.umnet.umich.edu,OU=Information Technology Services,O=University of Michigan,POSTALCODE=48105-3640,L=Ann Arbor,ST=MI,C=US
signed certificate only present in non-cgo pool (acceptable): CN=crossproto.local,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
certificate only present in cgo pool: CN=dlv-cert
Number of trusted certs = 1
Cert 0: radius.umnet.umich.edu
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Number of trusted certs = 2
Cert 0: dlv-cert
   Number of trust settings : 0
Cert 1: X Proto CA
   Number of trust settings : 0

!!! The test failed!

[FiloSottile]

@dadrian iiinteresting "Cert Verify Result: Invalid Extended Key Usage for policy"

I actually have a dlv-cert which works correctly though. Would you mind exporting yours in PEM for me? Thanks!

[FiloSottile]

@dadrian nevermind, I managed to reproduce by giving my dlv-cert a trust setting in the ssl policy.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:5d:a5:e5:55:f1:a2:76
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN = dlv-cert
        Validity
            Not Before: Jul 24 02:10:39 2017 GMT
            Not After : Jul 22 02:10:39 2027 GMT
        Subject: CN = dlv-cert
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c6:70:d2:f4:07:64:da:80:0c:16:af:ad:f0:c0:
                    76:61:b9:54:42:9f:cc:54:18:03:dc:48:69:04:20:
                    c6:e4:2c:4b:66:b7:a2:e1:38:54:62:9c:34:de:0a:
                    96:2c:d5:21:cf:cd:3d:97:46:4f:7a:64:fc:db:a0:
                    55:2c:0e:09:9e:f7:59:6b:dc:ab:7c:08:80:96:c1:
                    92:bb:e2:da:96:af:af:cc:dc:82:b4:76:df:61:77:
                    14:e3:e4:17:86:5a:c9:63:ac:a6:bf:38:ac:57:eb:
                    37:58:33:a9:4e:14:4e:91:52:25:be:52:20:13:a9:
                    ad:d3:b1:c1:30:18:80:5c:85:82:f4:f9:73:96:2c:
                    0e:69:3c:1d:2e:00:48:8a:ab:73:ae:87:87:6a:73:
                    b3:5e:2e:e0:5b:b5:92:54:35:d0:72:bf:8d:f3:bc:
                    6f:9d:00:0d:79:44:83:67:01:f9:43:87:ba:99:52:
                    4c:de:4e:a1:d9:2e:7d:f1:72:2f:8e:d6:50:2c:35:
                    ca:bc:74:cf:12:85:6e:47:e0:4f:2a:10:be:a0:7f:
                    37:f3:3d:ed:1d:6a:fb:dd:54:98:93:e6:5d:96:05:
                    7f:bb:3d:b9:1d:55:53:63:f4:1c:76:63:be:9e:a5:
                    39:99:ac:64:82:d8:bf:c7:58:09:a0:7c:0a:5e:04:
                    46:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: critical
                Code Signing
    Signature Algorithm: sha512WithRSAEncryption
         1f:d0:01:24:30:96:90:30:16:56:9e:ae:65:0f:6e:98:bc:4c:
         f3:a8:e5:54:f5:00:30:64:a0:7a:ef:1d:96:28:41:6b:b3:fa:
         a8:21:1f:6b:7e:d1:d6:b3:99:47:de:2f:66:b3:16:79:b2:70:
         79:3d:e5:77:70:c4:93:b2:b2:2f:bb:ff:b6:7f:7d:71:1d:8e:
         70:4e:ec:fe:5f:37:f5:6e:43:2b:b2:a1:fd:8d:23:6a:33:a6:
         d0:d4:25:bc:22:70:a6:eb:83:94:71:43:06:a0:d0:3e:5b:94:
         b1:04:40:d5:32:aa:a8:e6:b4:d6:54:9f:5b:c8:c2:49:fb:d3:
         cc:a3:78:fa:03:a3:76:53:0b:68:86:83:6f:2f:f6:e6:8a:91:
         d1:5b:7a:89:bc:95:f3:a9:b0:5c:61:5b:b7:cb:8e:43:d7:d5:
         9a:ff:75:82:a9:fa:b2:86:84:c0:80:99:bc:72:04:72:4d:23:
         a0:92:11:d9:4e:7a:ab:eb:d9:1b:ca:bd:64:cb:9c:25:c3:57:
         b6:59:bf:bd:a2:01:39:cf:e8:47:87:bd:5c:95:e7:15:ea:1e:
         a1:e0:5a:7a:14:9e:ef:f7:7f:6c:57:2e:7a:fd:1a:fd:eb:ce:
         6d:33:b4:6b:b0:2c:08:36:0d:2e:2c:e3:40:ce:a4:3f:a2:b3:
         7a:c6:cb:1b
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIJALldpeVV8aJ2MA0GCSqGSIb3DQEBDQUAMBMxETAPBgNV
BAMMCGRsdi1jZXJ0MB4XDTE3MDcyNDAyMTAzOVoXDTI3MDcyMjAyMTAzOVowEzER
MA8GA1UEAwwIZGx2LWNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDGcNL0B2TagAwWr63wwHZhuVRCn8xUGAPcSGkEIMbkLEtmt6LhOFRinDTeCpYs
1SHPzT2XRk96ZPzboFUsDgme91lr3Kt8CICWwZK74tqWr6/M3IK0dt9hdxTj5BeG
WsljrKa/OKxX6zdYM6lOFE6RUiW+UiATqa3TscEwGIBchYL0+XOWLA5pPB0uAEiK
q3Ouh4dqc7NeLuBbtZJUNdByv43zvG+dAA15RINnAflDh7qZUkzeTqHZLn3xci+O
1lAsNcq8dM8ShW5H4E8qEL6gfzfzPe0davvdVJiT5l2WBX+7PbkdVVNj9Bx2Y76e
pTmZrGSC2L/HWAmgfApeBEaHAgMBAAGjKjAoMA4GA1UdDwEB/wQEAwIHgDAWBgNV
HSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQ0FAAOCAQEAH9ABJDCWkDAW
Vp6uZQ9umLxM86jlVPUAMGSgeu8dlihBa7P6qCEfa37R1rOZR94vZrMWebJweT3l
d3DEk7KyL7v/tn99cR2OcE7s/l839W5DK7Kh/Y0jajOm0NQlvCJwpuuDlHFDBqDQ
PluUsQRA1TKqqOa01lSfW8jCSfvTzKN4+gOjdlMLaIaDby/25oqR0Vt6ibyV86mw
XGFbt8uOQ9fVmv91gqn6soaEwICZvHIEck0joJIR2U56q+vZG8q9ZMucJcNXtlm/
vaIBOc/oR4e9XJXnFeoeoeBaehSe7/d/bFcuev0a/evObTO0a7AsCDYNLizjQM6k
P6KzesbLGw==
-----END CERTIFICATE-----

This is a side-effect of using verify-cert for something it's not meant for, as I don't think macOS actually cares about EKU nesting into the root. We do, so we could just remove roots with inappropriate EKUs as we would never accept chains to them, but our Verify API lets you specify different EKUs, so this is a matter of how strictly WebPKI-oriented we want to be.

[bradfitz]

$ sw_vers 
ProductName:    Mac OS X
ProductVersion: 10.13.2
BuildVersion:   17C205

$ macos-roots-test 
crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: AddTrust Class 1 CA Root returned 3
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE: "SecTrustEvaluate result: kSecTrustResultDeny"
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.4f7178494d417a614c6e4c6476336a747664566c62773d3d: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.4f7178494d417a614c6e4c6476336a747664566c62773d3d: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.4f7178494d417a614c6e4c6476336a747664566c62773d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=iPhone Developer: brad@danga.com (3DDKMG48AG),OU=5X59Y54MZ3,O=Bradley Fitzpatrick,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.4f7178494d417a614c6e4c6476336a747664566c62773d3d: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.4f7178494d417a614c6e4c6476336a747664566c62773d3d: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=iPhone Developer: brad@danga.com (3DDKMG48AG),OU=5X59Y54MZ3,O=Bradley Fitzpatrick,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.4f7178494d417a614c6e4c6476336a747664566c62773d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=com.apple.idms.appleid.prd.001436-05-b7d5c08c-921d-4270-a77b-e4910fb6bc6b
crypto/x509: verify-cert approved CN=com.apple.idms.appleid.prd.001436-05-b7d5c08c-921d-4270-a77b-e4910fb6bc6b
crypto/x509: ran security verify-cert 18 times
    cgo sys roots: 127.283497ms
non-cgo sys roots: 387.512736ms
signed certificate only present in non-cgo pool (acceptable): CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=com.apple.idms.appleid.prd.001436-05-b7d5c08c-921d-4270-a77b-e4910fb6bc6b
certificate only present in non-cgo pool: CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE (verify error: x509: certificate signed by unknown authority)
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
SecTrustSettingsCopyCertificates: No Trust Settings were found.
Number of trusted certs = 1
Cert 0: AddTrust Class 1 CA Root
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultDeny

!!! The test failed!

[martisch]

Thanks. I get a lot of output and then "The test passed, no need to report the output. Thank you."

[FiloSottile]

There's an issue similar to the EKUs one with expired certificates (reported privately).

"Cert Verify Result: CSSMERR_TP_CERT_EXPIRED" by verify-cert, accepted by cgo.

Also, definitely need to apply the optimization from https://go-review.googlesource.com/c/go/+/128116#message-82860fc087cfeff46d4c6b8f986d5cdbcbb2bc96

crypto/x509: ran security verify-cert 2012 times
    cgo sys roots: 180.338828ms
non-cgo sys roots: 15.147515201s

[josharian]

@FiloSottile is it important to use 1.11 to 'go get' the package? I just realized I accidentally used 1.10 without thinking about it, and I might not be alone.

[FiloSottile]

@josharian Not a problem, this should work with both 1.10 and 1.11.

[vdemario]

crypto/x509: kSecTrustSettingsResultInvalid = 0
crypto/x509: kSecTrustSettingsResultTrustRoot = 1
crypto/x509: kSecTrustSettingsResultTrustAsRoot = 2
crypto/x509: kSecTrustSettingsResultDeny = 3
crypto/x509: kSecTrustSettingsResultUnspecified = 4
crypto/x509: dlv-cert returned 1
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=dlv-cert: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: ran security verify-cert 4 times
    cgo sys roots: 213.325029ms
non-cgo sys roots: 186.922833ms
signed certificate only present in non-cgo pool (acceptable): CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
certificate only present in cgo pool: CN=dlv-cert
SecTrustSettingsCopyCertificates: No Trust Settings were found.
Number of trusted certs = 1
Cert 0: dlv-cert
   Number of trust settings : 0

!!! The test failed!

[calmh]

Test Results

crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=com.apple.systemdefault,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.kerberos.kdc,O=System Identity: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.2f3254377273324b6b456f78644b335456566b7149673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=brian.bennett@joyent.com: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=GlobalSign PersonalSign Partners CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
crypto/x509: verify-cert rejected CN=StartCom Class 1 Client CA,OU=StartCom Certification Authority,O=StartCom Ltd.,C=IL: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=GlobalSign HV S/MIME CA 1,O=GlobalSign nv-sa,C=BE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign
crypto/x509: verify-cert approved CN=COMODO RSA Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
crypto/x509: verify-cert approved CN=UHH CA - G02,OU=Regionales Rechenzentrum,O=Universitaet Hamburg,L=Hamburg,ST=Hamburg,C=DE
crypto/x509: verify-cert approved CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
crypto/x509: verify-cert rejected CN=Thomas Orgis,OU=RRZ+OU=Basis-Infrastruktur+OU=HPC,O=Universitaet Hamburg,L=Hamburg,ST=Hamburg,C=DE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Entrust Class 1 Client CA,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2010 Entrust\, Inc.,O=Entrust\, Inc.,C=US
crypto/x509: verify-cert rejected CN=jason.brian.king@gmail.com,OU=Persona Not Validated+OU=Entrust Class 1 Identity Certification Service: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=AIT DSS root CA,OU=Center for Digital Safety & Security,O=AIT Austrian Institute of Technology GmbH,L=Vienna,ST=Vienna,C=AT: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Roman Fiedler,OU=Center for Digital Safety & Security,O=AIT Austrian Institute of Technology GmbH,L=Vienna,ST=Vienna,C=AT: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Shawn Taikratoke's CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Michele Codutti,OU=Developers,O=Innova S.p.A.,C=IT: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=COMODO SHA-256 Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jonathan Prescott,OU=MySelf,O=Self,L=Durham,ST=NC,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=COMODO Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Roman Fiedler,OU=Issued through AIT Austrian Institute of Technology GmbH E-PKI M+OU=Corporate Secure Email,O=AIT Austrian Institute of Technology GmbH,POSTALCODE=1220,STREET=Donau-City-Strase 1tech/Gate,L=Wien,ST=Wien,C=AT: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=rasky@develer.com: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=chrisridd@mac.com: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Uni-Konstanz CA-S001,O=Uni-Konstanz,C=DE
crypto/x509: verify-cert rejected CN=Jens Erat,O=Universitaet Konstanz,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected SERIALNUMBER=0010000000012089960000,CN=Lubomir Stroetmann,OU=Zertifikate,O=softScheck GmbH,L=Sankt Augustin,ST=NRW,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Signtrust CERT Root CA 3:PN,O=SCA Deutsche Post Com GmbH,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Signtrust CERT Class 2 CA 6:PN,O=SCA Deutsche Post Com GmbH,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Class 1 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Karl Denninger (OCSP),O=Cuda Systems LLC,ST=Florida,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=StartCom Class 1 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=brian.bennett@joyent.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=StartCom Class 2 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Omen Wild,L=Davis,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Christopher Ferebee,L=Frankfurt,ST=Hessen,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=eric@ripa.io: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=marco@peereboom.us: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Karl Denninger,ST=Florida,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=brian.bennett@joyent.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=atl@alum.mit.edu: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Coy Hile,O=Coy Hile Labs,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=wuvist@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=johns@sstar.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
crypto/x509: verify-cert rejected CN=cf@ferebee.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jiang Bian,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=alexander@neilson.net.nz: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert rejected CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Leo Vegoda,OU=IANA,O=Internet Corporation for Assigned Names and Numbers,L=Marina del Rey,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=danny@danysek.cz: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Babak Pasdar: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Christopher Ferebee,L=Frankfurt,ST=Hessen,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=jhellenthal@dataix.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=mdavids@forfun.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=bketelsen@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=StartCom Class 1 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Omen Wild,L=Davis,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=alter3d@alter3d.ca: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Dylan Humphreys,O=Comodo Group Inc.,POSTALCODE=07013,STREET=Suite 100+STREET=1255 Broad St.,L=Clifton,ST=NJ,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=diogomfranco@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Barbara Roseman,OU=IANA,O=Internet Corporation for Assigned Names and Numbers,L=Marina del Rey,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thomas Schmid,OU=Geschaeftsstelle,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DFN-Verein-GS-CA - G02,OU=Geschaeftsstelle,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=derek@derekivey.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=brandon@bitradius.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thomas York,L=Beech Grove,ST=Indiana,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=johnl@iecc.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU=VeriSign Trust Network+OU=(c) 1999 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: verify-cert rejected CN=Symantec Class 1 Individual Subscriber CA - G4,OU=Symantec Trust Network+OU=Persona Not Validated,O=Symantec Corporation,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Persona Not Validated - 1364333321083,OU=S/MIME+OU=Persona Not Validated+OU=Symantec Trust Network,O=Symantec Corporation: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=mdavids@forfun.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Jason Matthews,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Peter Kristolaitis,L=Ottawa,ST=Ontario,C=CA: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=ioagel@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Fredrik,O=Mekk,C=SE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=jan-peter@koopmann.eu: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Matthew Huff,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Microsoft Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=heinz@licenser.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Sebastian Abt,OU=Fachbereich Informatik,O=Hochschule Darmstadt,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Hochschule Darmstadt,O=Hochschule Darmstadt,L=Darmstadt,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=IFW Dresden CA,O=IFW Dresden e.V.,L=Dresden,ST=Sachsen,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Henri Wahl,O=IFW Dresden e.V.,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Marc Storck,O=voipGATE S.A.,L=Leudelange,ST=Luxembourg,C=LU: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.1231556954,OU=DoD+OU=PKI+OU=USN,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.1231556954,OU=DoD+OU=PKI+OU=USN,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=DOD EMAIL CA-23,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=roger.jorgensen.no,OU=NextGen6 Network,O=NextGen6,ST=Troms,C=NO: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
crypto/x509: verify-cert rejected CN=SwissSign Personal Silver CA 2008 - G2,O=SwissSign AG,C=CH: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=meirea@charterschoolit.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=g.vlachos@kestrel-is.gr: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected SERIALNUMBER=37,CN=Arturo Servin,OU=Internet,O=LACNIC Certification Authority,C=UY: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Alex Band,OU=accounts+OU=Training: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=alan.batie@peakinternet.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Ole Tr�an,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=frnkblk@iname.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Payam Poursaied,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.0202364685,OU=DOD+OU=PKI+OU=USN,O=U.S. GOVERNMENT,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=Florian Forster: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.0202364685,OU=DOD+OU=PKI+OU=USN,O=U.S. GOVERNMENT,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=DOD EMAIL CA-17,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jens Weibler,OU=Fachbereich Informatik,O=Hochschule Darmstadt,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Gert Doering,OU=users,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA 1,OU=SpaceNet Trust Center,O=SpaceNet AG,L=Munich,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA 2 Research,OU=Research,O=SpaceNet AG,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA 2 Technik,OU=Technik,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Level2 CA,OU=Zwischenzertifizierung,O=SpaceNet AG,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA,OU=Zertifizierungsstelle,O=SpaceNet AG,L=Munich,C=DE: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected SERIALNUMBER=CVR:26769388-UID:1259073459558,CN=IT- og Telestyrelsen - Beredskabsserkretariatet,O=IT- og Telestyrelsen // CVR:26769388,C=DK: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Dyonisius Visser,O=TERENA,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=TERENA Personal CA,O=TERENA,C=NL: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Kaj J. Niemi,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Cutler James Rusling,L=Plymouth,ST=Michigan,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected SERIALNUMBER=CVR:29283958-RID:11056922,CN=Lasse Birnbaum Jensen,O=Syddansk Universitet // CVR:29283958,C=DK: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=xiaoyuCA111008,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Chad D. Burnham,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Owen DeLong,OU=Person,O=DeLong Consulting,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Windows Phone 7 Connector,OU=Windows Phone,O=Microsoft,ST=Washington,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Joe Gersch,O=Secure64 Software Corporation,ST=CO,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Sander Steffann,O=SJM Steffann,L=Apeldoorn,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DoD Root CA 2,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=CASSELL.JAMES.D.1230150970,OU=DoD+OU=PKI+OU=DISA,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=CASSELL.JAMES.D.1230150970,OU=DoD+OU=PKI+OU=DISA,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=Kaj J. Niemi,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DOD EMAIL CA-19,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Gert Doering,OU=users,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Dyonisius Visser,O=TERENA,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Mark Elkins,OU=StartCom Verified Certificate Member,O=Posix Systems (PTY) Ltd.,L=Pretoria,ST=Gauteng,C=ZA: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=StartCom Class 2 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jan Dirnberger,OU=users,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jon Thomas Radel: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thomas Schmid,OU=Geschaeftsstelle,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Trusted Introducer (TI) Client CA - G001,OU=Certification Authority,O=Trusted Introducer (TI),C=NL: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Neil Long,OU=Team Cymru,O=Trusted Introducer,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Arien Vijn: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Phillip Heller,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Sprint Nextel Root Authority,OU=Copyright (c) 2007+OU=Sprint Nextel: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=劉培文,OU=ICST+OU=Provided by Global Digital Inc.+OU=GlobalTrust - Personal vaildate class 1,O=Institute for Information Industry,C=TW: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Sprint Nextel Enterprise Issuing 1 Authority: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jan Tuomi,OU=StartCom Verified Certificate Member,L=Norrkoping,ST=Ostergotlands,C=SE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Sprint Nextel Enterprise Intermediate 1 Authority,OU=Copyright (c) 2007+OU=Sprint Nextel: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Wesley E George IV,OU=Domain Users+OU=Standard: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Tero Toikkanen,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Lars Eggert,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Brooks Bridges,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Alex Band,OU=TS,O=RIPE NCC,ST=Noord-Holland,C=NL: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Arjan van der Oest,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=GeoTrust True Credentials CA 2,O=GeoTrust Inc.,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Wesley E George IV,OU=Domain Users+OU=Managed+OU=Standard-Technical: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=ghislain adnet,OU=CPS terms incorporated by reference liability limited.+OU=See Public S/MIME CPS www.geotrust.com/resources/CPS.+OU=Phone Validation - 33 663792738+OU=Email and phone validated only.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jason Bertoch,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jason Schwarz,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CNRS2-Standard,O=CNRS,C=FR: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Bernard Tuy,OU=UPS836,O=CNRS,C=FR: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=George Carey's CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Patrik Wallstr�m: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Patrik Wallstr�m: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Maik Heinrich: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Ulrich Kiermayr,O=Universitaet Wien,C=AT: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Vinny Abello,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Andrew Lange,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Alan Batie,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Roque Gagliano,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Lars Eggert: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Brooks Bridges,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=James Burwell,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Shaun Ewing,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected OU=Class 2 Public Primary Certification Authority - G2+OU=(c) 1998 VeriSign\, Inc. - For authorized use only+OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=The University of Texas Health Science Center at Houston CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)99+OU=Class 2 CA - OnSite Individual Subscriber,O=The University of Texas System: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=William Murphy,OU=Health Science Center at Houston CA+OU=www.verisign.com/repository/CPS Incorp. by Ref.\,LIAB.LTD(c)99,O=The University of Texas System: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Chris Campbell,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jason Gurtz,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jon Thomas Radel: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Hans Goes,OU=IT4W&O Fullfillment Beheer 1,O=KPN Telecom B.V.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Mathias Seiler,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=KPN Telecom e-wholesale G2,O=KPN Telecom B.V.,C=NL: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=vpn.dnssec-example.com,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Hans Goes,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=WK - VPN Cert,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jose Xavier,OU=Bancos,O=TelcoNet S.A.,STREET=Kennedy Norte Mz 109 Solar 21,L=Guayaquil,ST=Guayas,C=EC: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=E.ON Group CA V2,OU=CA,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=E.ON Sverige AB Sub CA V2,OU=CA,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected SERIALNUMBER=A16754,CN=Anna Borg,OU=E.ON Sverige AB,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Jonathan Bishop: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Kazar Root CA,OU=CA Division,O=Association Kazar,L=Paris,ST=Paris,C=FR: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Matthwe Huff,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Microsoft Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Yaron Sheffer,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected SERIALNUMBER=A16754,CN=Anna Borg,OU=E.ON Sverige AB,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Chad Burnham: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Alan Batie: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved SERIALNUMBER=CVR:25775635-UID:1105357707258,CN=Forsvarsministeriet Departementet - Forsvarsministeriet,O=Forsvarsministeriet Departementet // CVR:25775635,C=DK
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=flk1.kastelo.net: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: verify-cert rejected CN=UniFi,OU=UniFi,O=ubnt.com,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Kastelo AB,O=Kastelo AB,POSTALCODE=23635,STREET=Prästkragevägen 23,L=Höllviken,ST=Skåne,C=SE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=GlobalSign PersonalSign 2 CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=Jeffrey Paul Goldberg,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.2f3254377273324b6b456f78644b335456566b7149673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected SERIALNUMBER=A16754,CN=Anna Borg,OU=E.ON Sverige AB,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=Apple iPhone Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Apple iPhone OS Provisioning Profile Signing,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Apple Root Certificate Authority,OU=Apple Computer Certificate Authority,O=Apple Computer\, Inc.,C=US
crypto/x509: verify-cert approved CN=mitmproxy,O=mitmproxy
crypto/x509: verify-cert rejected CN=unu.kastelo.net: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SEC Consult Vulnerability Lab,OU=Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag+OU=Corporate Secure Email,O=SEC Consult Unternehmensberatung GmbH,POSTALCODE=2700,STREET=Komarigasse 14/1,L=Wr. Neustadt,ST=Niederoesterreich,C=AT: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=iPhone Developer: Jakob Borg (K53FH4XY4G),OU=F3H4GR3D3C,O=ASFT Industries AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=iPhone Distribution: ASFT Industries AB (F3H4GR3D3C),OU=F3H4GR3D3C,O=ASFT Industries AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=iPhone Developer: Jakob Borg (544PYLHCNP),OU=5SZSCASWC4,O=Distributed Medical AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=Oracle Integrated Lights Out Manager,O=Oracle America\, Inc.,L=Redwood Shores,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=com.apple.idms.appleid.prd.001690-05-4d1473ca-c1d6-4fb9-aaa2-1abed4dfc7ac
crypto/x509: verify-cert rejected CN=iPhone Developer: Jakob Borg (TDGVNCLG6S),OU=LQE5SYM783,O=Kastelo AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Posta Certificata ARUBA PEC,O=Aruba PEC S.p.A.,L=Ponte San Pietro,ST=Bergamo,C=IT: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=AgID CA1,OU=Area Soluzioni per la Pubblica Amministrazione,O=Agenzia per l'Italia Digitale,L=Roma,C=IT
crypto/x509: verify-cert rejected CN=UniFi,OU=UniFi,O=ubnt.com,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=fsn1: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected : "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected : "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=Developer ID Application: Jakob Borg (LQE5SYM783),OU=LQE5SYM783,O=Jakob Borg,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.2f3254377273324b6b456f78644b335456566b7149673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=StartCom Class 1 Client CA,OU=StartCom Certification Authority,O=StartCom Ltd.,C=IL: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=brian.bennett@joyent.com: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=GlobalSign HV S/MIME CA 1,O=GlobalSign nv-sa,C=BE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=GlobalSign PersonalSign Partners CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
crypto/x509: verify-cert approved CN=GlobalSign,OU=GlobalSign Root CA - R3,O=GlobalSign
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=COMODO RSA Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: verify-cert approved CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
crypto/x509: verify-cert approved CN=UHH CA - G02,OU=Regionales Rechenzentrum,O=Universitaet Hamburg,L=Hamburg,ST=Hamburg,C=DE
crypto/x509: verify-cert approved CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE
crypto/x509: verify-cert rejected CN=Thomas Orgis,OU=RRZ+OU=Basis-Infrastruktur+OU=HPC,O=Universitaet Hamburg,L=Hamburg,ST=Hamburg,C=DE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Entrust Class 1 Client CA,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2010 Entrust\, Inc.,O=Entrust\, Inc.,C=US
crypto/x509: verify-cert rejected CN=jason.brian.king@gmail.com,OU=Persona Not Validated+OU=Entrust Class 1 Identity Certification Service: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=AIT DSS root CA,OU=Center for Digital Safety & Security,O=AIT Austrian Institute of Technology GmbH,L=Vienna,ST=Vienna,C=AT: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Roman Fiedler,OU=Center for Digital Safety & Security,O=AIT Austrian Institute of Technology GmbH,L=Vienna,ST=Vienna,C=AT: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Shawn Taikratoke's CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Michele Codutti,OU=Developers,O=Innova S.p.A.,C=IT: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=COMODO SHA-256 Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jonathan Prescott,OU=MySelf,O=Self,L=Durham,ST=NC,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=COMODO Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Roman Fiedler,OU=Issued through AIT Austrian Institute of Technology GmbH E-PKI M+OU=Corporate Secure Email,O=AIT Austrian Institute of Technology GmbH,POSTALCODE=1220,STREET=Donau-City-Strase 1tech/Gate,L=Wien,ST=Wien,C=AT: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=rasky@develer.com: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=chrisridd@mac.com: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Uni-Konstanz CA-S001,O=Uni-Konstanz,C=DE
crypto/x509: verify-cert rejected CN=Jens Erat,O=Universitaet Konstanz,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected SERIALNUMBER=0010000000012089960000,CN=Lubomir Stroetmann,OU=Zertifikate,O=softScheck GmbH,L=Sankt Augustin,ST=NRW,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Signtrust CERT Class 2 CA 6:PN,O=SCA Deutsche Post Com GmbH,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Signtrust CERT Root CA 3:PN,O=SCA Deutsche Post Com GmbH,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert approved CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Class 1 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=StartCom Class 1 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=brian.bennett@joyent.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Karl Denninger (OCSP),O=Cuda Systems LLC,ST=Florida,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=StartCom Class 2 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Omen Wild,L=Davis,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Christopher Ferebee,L=Frankfurt,ST=Hessen,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=eric@ripa.io: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=marco@peereboom.us: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Karl Denninger,ST=Florida,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=brian.bennett@joyent.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=atl@alum.mit.edu: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Coy Hile,O=Coy Hile Labs,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=wuvist@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL
crypto/x509: verify-cert rejected CN=johns@sstar.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=cf@ferebee.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jiang Bian,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=alexander@neilson.net.nz: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
crypto/x509: verify-cert rejected CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Leo Vegoda,OU=IANA,O=Internet Corporation for Assigned Names and Numbers,L=Marina del Rey,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=danny@danysek.cz: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Babak Pasdar: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Christopher Ferebee,L=Frankfurt,ST=Hessen,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=jhellenthal@dataix.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=mdavids@forfun.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=bketelsen@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=StartCom Class 1 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Omen Wild,L=Davis,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=alter3d@alter3d.ca: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Dylan Humphreys,O=Comodo Group Inc.,POSTALCODE=07013,STREET=Suite 100+STREET=1255 Broad St.,L=Clifton,ST=NJ,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DigiCert Assured ID CA-1,OU=www.digicert.com,O=DigiCert Inc,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=diogomfranco@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=UTN-USERFirst-Client Authentication and Email,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Barbara Roseman,OU=IANA,O=Internet Corporation for Assigned Names and Numbers,L=Marina del Rey,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DFN-Verein-GS-CA - G02,OU=Geschaeftsstelle,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Thomas Schmid,OU=Geschaeftsstelle,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=derek@derekivey.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=brandon@bitradius.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=johnl@iecc.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thomas York,L=Beech Grove,ST=Indiana,C=US: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU=VeriSign Trust Network+OU=(c) 1999 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
crypto/x509: verify-cert rejected CN=Symantec Class 1 Individual Subscriber CA - G4,OU=Symantec Trust Network+OU=Persona Not Validated,O=Symantec Corporation,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Persona Not Validated - 1364333321083,OU=S/MIME+OU=Persona Not Validated+OU=Symantec Trust Network,O=Symantec Corporation: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=mdavids@forfun.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)09+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Peter Kristolaitis,L=Ottawa,ST=Ontario,C=CA: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=ioagel@gmail.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Fredrik,O=Mekk,C=SE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=jan-peter@koopmann.eu: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Matthew Huff,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Microsoft Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=heinz@licenser.net: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Sebastian Abt,OU=Fachbereich Informatik,O=Hochschule Darmstadt,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jason Matthews,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Hochschule Darmstadt,O=Hochschule Darmstadt,L=Darmstadt,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=IFW Dresden CA,O=IFW Dresden e.V.,L=Dresden,ST=Sachsen,C=DE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Henri Wahl,O=IFW Dresden e.V.,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Marc Storck,O=voipGATE S.A.,L=Leudelange,ST=Luxembourg,C=LU: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.1231556954,OU=DoD+OU=PKI+OU=USN,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.1231556954,OU=DoD+OU=PKI+OU=USN,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=DOD EMAIL CA-23,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=Ole Tr�an,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=roger.jorgensen.no,OU=NextGen6 Network,O=NextGen6,ST=Troms,C=NO: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=SwissSign Silver CA - G2,O=SwissSign AG,C=CH
crypto/x509: verify-cert rejected CN=SwissSign Personal Silver CA 2008 - G2,O=SwissSign AG,C=CH: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=meirea@charterschoolit.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected SERIALNUMBER=37,CN=Arturo Servin,OU=Internet,O=LACNIC Certification Authority,C=UY: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=g.vlachos@kestrel-is.gr: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Alex Band,OU=accounts+OU=Training: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=alan.batie@peakinternet.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=frnkblk@iname.com: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.0202364685,OU=DOD+OU=PKI+OU=USN,O=U.S. GOVERNMENT,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=Payam Poursaied,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=BROERSMA.RONALD.L.0202364685,OU=DOD+OU=PKI+OU=USN,O=U.S. GOVERNMENT,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=DOD EMAIL CA-17,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Florian Forster: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jens Weibler,OU=Fachbereich Informatik,O=Hochschule Darmstadt,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Gert Doering,OU=users,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA 1,OU=SpaceNet Trust Center,O=SpaceNet AG,L=Munich,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA 2 Research,OU=Research,O=SpaceNet AG,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA 2 Technik,OU=Technik,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=SpaceNet Level2 CA,OU=Zwischenzertifizierung,O=SpaceNet AG,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SpaceNet Root CA,OU=Zertifizierungsstelle,O=SpaceNet AG,L=Munich,C=DE: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected SERIALNUMBER=CVR:26769388-UID:1259073459558,CN=IT- og Telestyrelsen - Beredskabsserkretariatet,O=IT- og Telestyrelsen // CVR:26769388,C=DK: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Dyonisius Visser,O=TERENA,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=TERENA Personal CA,O=TERENA,C=NL: "Cert Verify Result: CSSMERR_CSP_INVALID_DIGEST_ALGORITHM"
crypto/x509: verify-cert rejected CN=Kaj J. Niemi,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Kaj J. Niemi,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Cutler James Rusling,L=Plymouth,ST=Michigan,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected SERIALNUMBER=CVR:29283958-RID:11056922,CN=Lasse Birnbaum Jensen,O=Syddansk Universitet // CVR:29283958,C=DK: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=xiaoyuCA111008,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Chad D. Burnham,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Owen DeLong,OU=Person,O=DeLong Consulting,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Windows Phone 7 Connector,OU=Windows Phone,O=Microsoft,ST=Washington,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Joe Gersch,O=Secure64 Software Corporation,ST=CO,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Sander Steffann,O=SJM Steffann,L=Apeldoorn,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=DoD Root CA 2,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=CASSELL.JAMES.D.1230150970,OU=DoD+OU=PKI+OU=DISA,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=CASSELL.JAMES.D.1230150970,OU=DoD+OU=PKI+OU=DISA,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=DOD EMAIL CA-19,OU=DoD+OU=PKI,O=U.S. Government,C=US: "Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE"
crypto/x509: verify-cert rejected CN=Dyonisius Visser,O=TERENA,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Gert Doering,OU=users,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Mark Elkins,OU=StartCom Verified Certificate Member,O=Posix Systems (PTY) Ltd.,L=Pretoria,ST=Gauteng,C=ZA: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=StartCom Class 2 Primary Intermediate Client CA,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jan Dirnberger,OU=users,O=SpaceNet AG,L=Munich,ST=sp1,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thomas Schmid,OU=Geschaeftsstelle,O=DFN-Verein,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jon Thomas Radel: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Trusted Introducer (TI) Client CA - G001,OU=Certification Authority,O=Trusted Introducer (TI),C=NL: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Neil Long,OU=Team Cymru,O=Trusted Introducer,C=NL: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Phillip Heller,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Arien Vijn: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Sprint Nextel Root Authority,OU=Copyright (c) 2007+OU=Sprint Nextel: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=劉培文,OU=ICST+OU=Provided by Global Digital Inc.+OU=GlobalTrust - Personal vaildate class 1,O=Institute for Information Industry,C=TW: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Sprint Nextel Enterprise Issuing 1 Authority: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Wesley E George IV,OU=Domain Users+OU=Standard: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Sprint Nextel Enterprise Intermediate 1 Authority,OU=Copyright (c) 2007+OU=Sprint Nextel: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Tero Toikkanen,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jan Tuomi,OU=StartCom Verified Certificate Member,L=Norrkoping,ST=Ostergotlands,C=SE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Lars Eggert,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Brooks Bridges,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Arjan van der Oest,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Alex Band,OU=TS,O=RIPE NCC,ST=Noord-Holland,C=NL: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Wesley E George IV,OU=Domain Users+OU=Managed+OU=Standard-Technical: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=ghislain adnet,OU=CPS terms incorporated by reference liability limited.+OU=See Public S/MIME CPS www.geotrust.com/resources/CPS.+OU=Phone Validation - 33 663792738+OU=Email and phone validated only.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=GeoTrust True Credentials CA 2,O=GeoTrust Inc.,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jason Bertoch,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CNRS2-Standard,O=CNRS,C=FR: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Jason Schwarz,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Bernard Tuy,OU=UPS836,O=CNRS,C=FR: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=George Carey's CA,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Personal Freemail Issuing CA,O=Thawte Consulting (Pty) Ltd.,C=ZA: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Patrik Wallstr�m: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Patrik Wallstr�m: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Maik Heinrich: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert Class 3 Root,OU=http://www.CAcert.org,O=CAcert Inc.: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Ulrich Kiermayr,O=Universitaet Wien,C=AT: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Vinny Abello,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Andrew Lange,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Alan Batie,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Roque Gagliano,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Lars Eggert: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Brooks Bridges,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=James Burwell,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Shaun Ewing,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected OU=Class 2 Public Primary Certification Authority - G2+OU=(c) 1998 VeriSign\, Inc. - For authorized use only+OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=The University of Texas Health Science Center at Houston CA,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)99+OU=Class 2 CA - OnSite Individual Subscriber,O=The University of Texas System: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=William Murphy,OU=Health Science Center at Houston CA+OU=www.verisign.com/repository/CPS Incorp. by Ref.\,LIAB.LTD(c)99,O=The University of Texas System: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Chris Campbell,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jason Gurtz,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jon Thomas Radel: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=VeriSign Trust Network+OU=Terms of use at https://www.verisign.com/rpa (c)05+OU=Persona Not Validated,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Mathias Seiler,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Netscape Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=CAcert WoT User: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Hans Goes,OU=IT4W&O Fullfillment Beheer 1,O=KPN Telecom B.V.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=KPN Telecom e-wholesale G2,O=KPN Telecom B.V.,C=NL: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=vpn.dnssec-example.com,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Hans Goes,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=WK - VPN Cert,C=US: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Jose Xavier,OU=Bancos,O=TelcoNet S.A.,STREET=Kennedy Norte Mz 109 Solar 21,L=Guayaquil,ST=Guayas,C=EC: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=E.ON Group CA V2,OU=CA,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=E.ON Sverige AB Sub CA V2,OU=CA,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected SERIALNUMBER=A16754,CN=Anna Borg,OU=E.ON Sverige AB,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected SERIALNUMBER=A16754,CN=Anna Borg,OU=E.ON Sverige AB,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Personal Freemail CA,OU=Certification Services Division,O=Thawte Consulting,L=Cape Town,ST=Western Cape,C=ZA: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Jonathan Bishop: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Kazar Root CA,OU=CA Division,O=Association Kazar,L=Paris,ST=Paris,C=FR: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected OU=Class 1 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Matthwe Huff,OU=VeriSign Trust Network+OU=www.verisign.com/repository/RPA Incorp. by Ref.\,LIAB.LTD(c)98+OU=Persona Not Validated+OU=Digital ID Class 1 - Microsoft Full Service,O=VeriSign\, Inc.: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Yaron Sheffer,OU=Comodo Trust Network - PERSONA NOT VALIDATED+OU=Terms and Conditions of use: http://www.comodo.net/repository+OU=(c)2003 Comodo Limited: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Chad Burnham: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=Alan Batie: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=StartCom Free Certificate Member,O=Persona Not Validated: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected SERIALNUMBER=A16754,CN=Anna Borg,OU=E.ON Sverige AB,O=EON,C=DE: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert rejected CN=Thawte Freemail Member: "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=.: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved SERIALNUMBER=CVR:25775635-UID:1105357707258,CN=Forsvarsministeriet Departementet - Forsvarsministeriet,O=Forsvarsministeriet Departementet // CVR:25775635,C=DK
crypto/x509: verify-cert approved CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=flk1.kastelo.net: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert rejected CN=COMODO RSA Code Signing CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
crypto/x509: verify-cert rejected CN=Kastelo AB,O=Kastelo AB,POSTALCODE=23635,STREET=Prästkragevägen 23,L=Höllviken,ST=Skåne,C=SE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=UniFi,OU=UniFi,O=ubnt.com,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=GlobalSign PersonalSign 2 CA - SHA256 - G3,O=GlobalSign nv-sa,C=BE: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=Jeffrey Paul Goldberg,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=com.apple.idms.appleid.prd.2f3254377273324b6b456f78644b335456566b7149673d3d: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED"
crypto/x509: verify-cert approved CN=Apple iPhone Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert approved CN=Apple iPhone OS Provisioning Profile Signing,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected : "Cert Verify Result: CSSMERR_TP_CERT_EXPIRED"
crypto/x509: verify-cert approved CN=Apple Root Certificate Authority,OU=Apple Computer Certificate Authority,O=Apple Computer\, Inc.,C=US
crypto/x509: verify-cert approved CN=mitmproxy,O=mitmproxy
crypto/x509: verify-cert rejected CN=unu.kastelo.net: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=SEC Consult Vulnerability Lab,OU=Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag+OU=Corporate Secure Email,O=SEC Consult Unternehmensberatung GmbH,POSTALCODE=2700,STREET=Komarigasse 14/1,L=Wr. Neustadt,ST=Niederoesterreich,C=AT: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=iPhone Developer: Jakob Borg (K53FH4XY4G),OU=F3H4GR3D3C,O=ASFT Industries AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=iPhone Distribution: ASFT Industries AB (F3H4GR3D3C),OU=F3H4GR3D3C,O=ASFT Industries AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=iPhone Developer: Jakob Borg (544PYLHCNP),OU=5SZSCASWC4,O=Distributed Medical AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=Oracle Integrated Lights Out Manager,O=Oracle America\, Inc.,L=Redwood Shores,ST=California,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert approved CN=com.apple.idms.appleid.prd.001690-05-4d1473ca-c1d6-4fb9-aaa2-1abed4dfc7ac
crypto/x509: verify-cert rejected CN=iPhone Developer: Jakob Borg (TDGVNCLG6S),OU=LQE5SYM783,O=Kastelo AB,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
crypto/x509: verify-cert rejected CN=Posta Certificata ARUBA PEC,O=Aruba PEC S.p.A.,L=Ponte San Pietro,ST=Bergamo,C=IT: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert approved CN=AgID CA1,OU=Area Soluzioni per la Pubblica Amministrazione,O=Agenzia per l'Italia Digitale,L=Roma,C=IT
crypto/x509: verify-cert rejected CN=UniFi,OU=UniFi,O=ubnt.com,L=San Jose,ST=CA,C=US: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected CN=fsn1: "Cert Verify Result: CSSMERR_TP_NOT_TRUSTED"
crypto/x509: verify-cert rejected : "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected : "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: verify-cert rejected CN=Developer ID Application: Jakob Borg (LQE5SYM783),OU=LQE5SYM783,O=Jakob Borg,C=US: "Cert Verify Result: Invalid Extended Key Usage for policy"
crypto/x509: ran security verify-cert 589 times
    cgo sys roots: 120.943026ms
non-cgo sys roots: 4.408893492s
signed certificate only present in non-cgo pool (acceptable): CN=Apple Worldwide Developer Relations Certification Authority,OU=Apple Worldwide Developer Relations,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=GlobalSign PersonalSign Partners CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
signed certificate only present in non-cgo pool (acceptable): CN=COMODO RSA Client Authentication and Secure Email CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
signed certificate only present in non-cgo pool (acceptable): CN=DFN-Verein PCA Global - G01,OU=DFN-PKI,O=DFN-Verein,C=DE
signed certificate only present in non-cgo pool (acceptable): CN=UHH CA - G02,OU=Regionales Rechenzentrum,O=Universitaet Hamburg,L=Hamburg,ST=Hamburg,C=DE
signed certificate only present in non-cgo pool (acceptable): CN=Entrust Class 1 Client CA,OU=www.entrust.net/CPS is incorporated by reference+OU=(c) 2010 Entrust\, Inc.,O=Entrust\, Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Uni-Konstanz CA-S001,O=Uni-Konstanz,C=DE
certificate only present in non-cgo pool: SERIALNUMBER=CVR:25775635-UID:1105357707258,CN=Forsvarsministeriet Departementet - Forsvarsministeriet,O=Forsvarsministeriet Departementet // CVR:25775635,C=DK (verify error: x509: certificate signed by unknown authority)
signed certificate only present in non-cgo pool (acceptable): CN=Developer ID Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Apple iPhone Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=Apple iPhone OS Provisioning Profile Signing,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=com.apple.idms.appleid.prd.001690-05-4d1473ca-c1d6-4fb9-aaa2-1abed4dfc7ac
signed certificate only present in non-cgo pool (acceptable): CN=Apple Application Integration Certification Authority,OU=Apple Certification Authority,O=Apple Inc.,C=US
signed certificate only present in non-cgo pool (acceptable): CN=AgID CA1,OU=Area Soluzioni per la Pubblica Amministrazione,O=Agenzia per l'Italia Digitale,L=Roma,C=IT
certificate only present in cgo pool: CN=UniFi,OU=UniFi,O=ubnt.com,L=San Jose,ST=CA,C=US
certificate only present in cgo pool: CN=unu.kastelo.net
certificate only present in cgo pool: CN=UniFi,OU=UniFi,O=ubnt.com,L=San Jose,ST=CA,C=US
certificate only present in cgo pool: CN=flk1.kastelo.net
certificate only present in cgo pool: CN=
certificate only present in cgo pool: CN=fsn1
certificate only present in cgo pool: CN=Oracle Integrated Lights Out Manager,O=Oracle America\, Inc.,L=Redwood Shores,ST=California,C=US
Number of trusted certs = 9
Cert 0: 
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.21.9.89
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.21.9.89
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SSL
      Policy String         : 
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SSL
      Policy String         : 
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : SSL
      Policy String         : 
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : SSL
      Policy String         : 
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : SSL
      Policy String         : 
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : SSL
      Policy String         : 
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : SSL
      Policy String         : 172.21.45.132
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Policy OID            : SSL
      Policy String         : 172.21.45.132
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 1: 
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 2: flk1.kastelo.net
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : flk1.kastelo.net
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : flk1.kastelo.net
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 3: UniFi
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : unifi4.nym.se
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : unifi4.nym.se
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 4: mitmproxy
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 5: unu.kastelo.net
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : localhost
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : localhost
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 6: Oracle Integrated Lights Out Manager
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : 172.16.32.10
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : 172.16.32.10
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
Cert 7: UniFi
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : nuc
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : nuc
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 8: fsn1
   Number of trust settings : 2
   Trust Setting 0:
      Policy OID            : SSL
      Policy String         : fsn1.kastelo.net
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Policy String         : fsn1.kastelo.net
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot

!!! The test failed!

Please report *the whole output* at https://github.com/golang/go/issues/24652 wrapping it in ``` a code block ```
Thank you!

I've redacted a few certificates that contain customer names. I'm not sure what in the above output constitutes the test failure, if you need the redacted stuff or clarification please feel free to ping me.

[ChrisHines]

I ended up finding this issue because I was having some problems retrieving modules with go1.11rc1 from gopkg.in or k8s.io recently. After much debugging and investigation my colleagues and I determined that go get -u also could not retrieve the same packages. All because of errors such as this:

https fetch failed: Get https://gopkg.in/yaml.v2?go-get=1: x509: certificate signed by unknown authority

In short, I have a Mac for work and my company has a corporate proxy with its own Root CA. The company Mac has the Root CA certificates installed in the System Keychain (a.k.a. kSecTrustSettingsDomainAdmin) with trust settings "Always Trust". The cert looks well formed (subject == issuer).

Things that don't work:

• go get -u gopkg.in/yaml.v2 with Go 1.10.3
• go get -u gopkg.in/yaml.v2 with Go 1.11rc1
• go build with Go 1.11rc1 when the required version of gopkg.in/yaml.v2 is not in the module cache

Things that work:

• Browsing to https://gopkg.in/yaml.v2 with Chrome
• go get -u gopkg.in/yaml.v2 with Go 1.9.4
• go build with Go tip patched with the code from https://github.com/golang/exp/blob/master/cmd/macos-roots-test/root_cgo_darwin.go when the required version of gopkg.in/yaml.v2 is not in the module cache

It seems this problem has been around for a while, but we hadn't noticed because we always vendor our dependencies and haven't updated to Go 1.10 on many projects yet.

With the impending release of Go 1.11 and the interest in modules this problem will move to the foreground. In particular we could potentially work around it with go get -insecure when working in a GOPATH. But that does not appear to be as easy for projects that want to use modules (https://github.com/golang/go/issues/27049#issuecomment-414031654) instead of dep.

So consider this a pretty-please request to get a fix for this into Go 1.11.

[FiloSottile]

Unfortunately this change is hard to test and interacts with a very complex API, so I did not feel safe shipping it in 1.11 at the last minute. We will be targeting the next minor release after more testing.

As a temporary workaround, in some cases you can make the trust settings explicit by opening Keychain Access, finding the releavnt certificate, and marking it as Always Trust. It might even already show as such in the UI, because empty trust settings are the same as Always Trust, but Go doesn't understand that. Just toggling it in the UI back and forth should make the settings explicit.

[ChrisHines]

@FiloSottile Thanks for the update. I understand the need for caution. I hope it can make it into a future release.

I tried your workaround of toggling the trust settings to "Never Trust" and back to "Always Trust", and it worked. 🎉

A bit more detail for anyone else with a similar problem. I was skeptical at first, because I had tried changing the trust levels before I posted my previous comment in this thread. I almost didn't even try @FiloSottile's suggestion, but then I remembered that my previous attempts may have not been thorough enough for two reasons. First, I had been changing them on a different certificate than I should have because I hadn't yet learned which certificate was needed for this specific use case. Second, I had only tried changing the trust level to "Use System Defaults", which didn't seem to have any affect.

So I tried again before replying, just to make sure. This time I updated the correct certificate, and I changed the trust settings to "Never Trust" instead of "Use System Defaults". With that approach Keychain Access prompted me for my password and actually saved the new setting. After toggling back to "Always Trust" I tried the commands that didn't work before and they all work now.

Thank you for that.

[adamdecaf]

Sounds good. Thanks @FiloSottile! I cleaned up by CL's related to this.

[jhump]

Just toggling it in the UI back and forth should make the settings explicit.

@FiloSottile, that worked for me.

But we use security add-trusted-cert ... in a script for setting up a local development environment to work with TLS (we generate a self-signed cert and then designate it as trusted). When we updated to Go 1.10, that script no longer works (it's fine for browser-to-server communications, but server-to-server communications that use TLS don't work due to this issue). Ideally, we'd have a work-around that does not require developers to take extra manual steps.

Any idea if there is a work-around that does not require tickling an entry in the keychain manually? Like maybe other parameters we could supply to the security add-trusted-cert ... incantation that will still make the cert trusted for TLS but result in explicit (non-empty) trust settings? I've been toying with command-line params a bit and have yet to find success :/