search

gost-engine / engine

A reference implementation of the Russian GOST crypto algorithms for OpenSSL
Apache License 2.0
375 stars 170 forks source link

esia.gosuslugi.ru root CA and cert chain problem #321

Closed rerime closed 3 years ago

rerime commented 3 years ago

Not sure it is right place to ask. 

openssl  ciphers -v   | grep -i gost
GOST2012256-GOST89-GOST89 SSLv3 Kx=GOST     Au=GOST01 Enc=GOST-28178-89-CNT Mac=GOST89IMIT
GOST2001-GOST89-GOST89  SSLv3 Kx=GOST     Au=GOST01 Enc=GOST-28178-89-CNT Mac=GOST89IMIT

I was trying to add root CA for esia.gosuslugi.ru. But it shows only one cert. Does it a web server misconfiguration or how I can retrieve chain with CA and intermediate cert? openssl s_client -connect esia.gosuslugi.ru:443 -showcerts

CONNECTED(00000005)
depth=0 CN = \D0\9C\D0\B8\D0\BD\D1\86\D0\B8\D1\84\D1\80\D1\8B \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\9F\D1\80\D0\B5\D1\81\D0\BD\D0\B5\D0\BD\D1\81\D0\BA\D0\B0\D1\8F \D0\BD\D0\B0\D0\B1., \D0\B4.10, \D1\81\D1\82\D1\80.2", 1.2.643.100.1 = #120D31303437373032303236373031, 1.2.643.3.131.1.1 = #120C303037373130343734333735, O = \D0\9C\D0\B8\D0\BD\D1\86\D0\B8\D1\84\D1\80\D1\8B \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = \D0\9C\D0\B8\D0\BD\D1\86\D0\B8\D1\84\D1\80\D1\8B \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8, C = RU, ST = 77 \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, L = \D0\9C\D0\BE\D1\81\D0\BA\D0\B2\D0\B0, street = "\D0\9F\D1\80\D0\B5\D1\81\D0\BD\D0\B5\D0\BD\D1\81\D0\BA\D0\B0\D1\8F \D0\BD\D0\B0\D0\B1., \D0\B4.10, \D1\81\D1\82\D1\80.2", 1.2.643.100.1 = #120D31303437373032303236373031, 1.2.643.3.131.1.1 = #120C303037373130343734333735, O = \D0\9C\D0\B8\D0\BD\D1\86\D0\B8\D1\84\D1\80\D1\8B \D0\A0\D0\BE\D1\81\D1\81\D0\B8\D0\B8
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD1\x86\xD0\xB8\xD1\x84\xD1\x80\xD1\x8B \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD0\x9F\xD1\x80\xD0\xB5\xD1\x81\xD0\xBD\xD0\xB5\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F \xD0\xBD\xD0\xB0\xD0\xB1., \xD0\xB4.10, \xD1\x81\xD1\x82\xD1\x80.2/1.2.643.100.1=1047702026701/1.2.643.3.131.1.1=007710474375/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD1\x86\xD0\xB8\xD1\x84\xD1\x80\xD1\x8B \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
   i:/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/1.2.643.100.1=1047702026701/1.2.643.3.131.1.1=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
-----BEGIN CERTIFICATE-----
MIIHazCCBxigAwIBAgIKIrZxZQAAAAAExDAKBggqhQMHAQEDAjCCASQxHjAcBgkq
hkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgM
Dzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwG
A1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoG
A1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUq
hQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUx
LDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MB4X
DTIwMTEwNTEzMDkzNFoXDTIzMTEwNTEzMDkzNFowgf4xJjAkBgNVBAMMHdCc0LjQ
vdGG0LjRhNGA0Ysg0KDQvtGB0YHQuNC4MQswCQYDVQQGEwJSVTEYMBYGA1UECAwP
Nzcg0JzQvtGB0LrQstCwMRUwEwYDVQQHDAzQnNC+0YHQutCy0LAxODA2BgNVBAkM
L9Cf0YDQtdGB0L3QtdC90YHQutCw0Y8g0L3QsNCxLiwg0LQuMTAsINGB0YLRgC4y
MRgwFgYFKoUDZAESDTEwNDc3MDIwMjY3MDExGjAYBggqhQMDgQMBARIMMDA3NzEw
NDc0Mzc1MSYwJAYDVQQKDB3QnNC40L3RhtC40YTRgNGLINCg0L7RgdGB0LjQuDBm
MB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABEBmlqQe/XNGQR4n
AdzNSNpG2+01fxx0T4r2cL5E3zU/cnPKew2S5jFny/7+zGBjK9Hex5XWnNg8cA14
uy66Z3hao4IERjCCBEIwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G
A1UdDwEB/wQEAwIE8DAnBgNVHSAEIDAeMAgGBiqFA2RxATAIBgYqhQNkcQIwCAYG
KoUDZHEDMCcGA1UdEQQgMB6CDGdvc3VzbHVnaS5ydYIOKi5nb3N1c2x1Z2kucnUw
XwYFKoUDZG8EVgxU0JrQodCf0JogItCa0YDQuNC/0YLQvtCf0YDQviBOR2F0ZSIg
0LLQtdGA0YHQuNGPIDEuMCAo0LjRgdC/0L7Qu9C90LXQvdC40Y8gNCwgNywgMTAp
MIIBZQYDVR0jBIIBXDCCAViAFMJU8bRr1Ey34G02tCOQ8f7DPJsGoYIBLKSCASgw
ggEkMR4wHAYJKoZIhvcNAQkBFg9kaXRAbWluc3Z5YXoucnUxCzAJBgNVBAYTAlJV
MRgwFgYDVQQIDA83NyDQnNC+0YHQutCy0LAxGTAXBgNVBAcMENCzLiDQnNC+0YHQ
utCy0LAxLjAsBgNVBAkMJdGD0LvQuNGG0LAg0KLQstC10YDRgdC60LDRjywg0LTQ
vtC8IDcxLDAqBgNVBAoMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQ
uNC4MRgwFgYFKoUDZAESDTEwNDc3MDIwMjY3MDExGjAYBggqhQMDgQMBARIMMDA3
NzEwNDc0Mzc1MSwwKgYDVQQDDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7R
gdGB0LjQuIIQTm1HiybyfWV/do4CXOPTkzAdBgNVHQ4EFgQUJsCl07GDMx8M8GSk
Ri/ouRJaRW0wgZgGA1UdHwSBkDCBjTAtoCugKYYnaHR0cDovL3JlZXN0ci1wa2ku
cnUvY2RwL2d1Y19nb3N0MTIuY3JsMC2gK6AphidodHRwOi8vY29tcGFueS5ydC5y
dS9jZHAvZ3VjX2dvc3QxMi5jcmwwLaAroCmGJ2h0dHA6Ly9yb3N0ZWxlY29tLnJ1
L2NkcC9ndWNfZ29zdDEyLmNybDBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKG
J2h0dHA6Ly9yZWVzdHItcGtpLnJ1L2NkcC9ndWNfZ29zdDEyLmNydDCB9QYFKoUD
ZHAEgeswgegMNNCf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7INCy
0LXRgNGB0LjQuCAyLjAMQ9Cf0JDQmiDCq9CT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+
0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAwrsMNdCX0LDQutC70Y7R
h9C10L3QuNC1IOKEliAxNDkvMy8yLzIvMjMg0L7RgiAwMi4wMy4yMDE4DDTQl9Cw
0LrQu9GO0YfQtdC90LjQtSDihJYgMTQ5LzcvNi8xMDUg0L7RgiAyNy4wNi4yMDE4
MAoGCCqFAwcBAQMCA0EA1EEbSanr3VHZCjSIJpiXck8+OPrDBGSvqsDFjzhThy7X
K+/YXdSicy4R4zeCuFoUEktLQK+IroidF4GSXNFmsg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD1\x86\xD0\xB8\xD1\x84\xD1\x80\xD1\x8B \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD0\x9F\xD1\x80\xD0\xB5\xD1\x81\xD0\xBD\xD0\xB5\xD0\xBD\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F \xD0\xBD\xD0\xB0\xD0\xB1., \xD0\xB4.10, \xD1\x81\xD1\x82\xD1\x80.2/1.2.643.100.1=1047702026701/1.2.643.3.131.1.1=007710474375/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD1\x86\xD0\xB8\xD1\x84\xD1\x80\xD1\x8B \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
issuer=/emailAddress=dit@minsvyaz.ru/C=RU/ST=77 \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/L=\xD0\xB3. \xD0\x9C\xD0\xBE\xD1\x81\xD0\xBA\xD0\xB2\xD0\xB0/street=\xD1\x83\xD0\xBB\xD0\xB8\xD1\x86\xD0\xB0 \xD0\xA2\xD0\xB2\xD0\xB5\xD1\x80\xD1\x81\xD0\xBA\xD0\xB0\xD1\x8F, \xD0\xB4\xD0\xBE\xD0\xBC 7/O=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8/1.2.643.100.1=1047702026701/1.2.643.3.131.1.1=007710474375/CN=\xD0\x9C\xD0\xB8\xD0\xBD\xD0\xBA\xD0\xBE\xD0\xBC\xD1\x81\xD0\xB2\xD1\x8F\xD0\xB7\xD1\x8C \xD0\xA0\xD0\xBE\xD1\x81\xD1\x81\xD0\xB8\xD0\xB8
---
No client certificate CA names sent
---
SSL handshake has read 2034 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is GOST2012256-GOST89-GOST89
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : GOST2012256-GOST89-GOST89
    Session-ID: D08BF080E75FFD85B674FF21DC0DBE31D209AF19473BFD1B0ACE4398F23A5D25
    Session-ID-ctx: 
    Master-Key: 5F5988DEF33FFF9075915E14E84D7BB4F2B8D9661F467C85F574D5A79257342A36A8E3B07A5098F54144ECC571792D7B
    Start Time: 1614674332
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
beldmit commented 3 years ago

I strongly suspect that it is the server misconfiguration. Usually people visiting such sites have the relevant CA certificates installed by a certified GOST software

rerime commented 3 years ago

Solved

wget https://raw.githubusercontent.com/schors/gost-russian-ca/master/certs/ca-certificates.pem
curl   https://esia.gosuslugi.ru --cacert ca-certificates.pem