[Twisted-Python] "mind" introduced strangely in pb howto

Tobias Oberstein tobias.oberstein at tavendo.de
Thu Oct 24 01:48:02 MDT 2013


Ah, right. Seems Chrome changed it's behavior .. at one point it wasn't able to load intermediate certs .. and hence I assumed from the dialog that Twisted cert has the intermediate cert contained. Wrong.

FWIW, you can manually concatenate certs .. this is what we do (also for StartSSL):

    $ cat myserver_plain_cert.crt > myserver.crt
    $ cat ../sub.class1.server.sha2.ca.pem >> myserver.crt
    $ cat ../ca.pem >> myserver.crt

A concatenated cert like above works today without the new code that is upcoming in Twisted. Which is cool also.

However: this all does not explain (at least I dont understand) why the OP has that issue showing up .. Firefox is able to load intermediate CA certs from the net .. I have seen it .. also for StartSSL certs. Something is breaking this. Maybe it's MITM TLS, maybe they blocked intermediate cert auto-loading, .. dunno.

/Tobias

> -----Ursprüngliche Nachricht-----
> Von: twisted-python-bounces at twistedmatrix.com [mailto:twisted-python-
> bounces at twistedmatrix.com] Im Auftrag von Hynek Schlawack
> Gesendet: Donnerstag, 24. Oktober 2013 09:16
> An: Twisted general discussion
> Betreff: Re: [Twisted-Python] "mind" introduced strangely in pb howto
> 
> Am 24.10.2013 um 09:02 schrieb Tobias Oberstein
> <tobias.oberstein at tavendo.de>:
> 
> >> I just tried to register so I could do that. When I clicked on the
> >> register button after filling out the username/password fields my
> >> browser (firefox) brought up a notice that the security certificate
> >> is invalid because of unavailable issuance chain information. Knowing
> >> absolutely nothing about internet security issues I thought I should
> >> mention this and ask if this is expected behavior.
> >
> > I wouldn't call that expected behavior, since
> >
> > a) the certificate used on twistedmatrix.com contains (as it should)
> > intermediate CA certs also (see attachments)
> 
> I'm not sure what you mean with "contains"? It certainly *relies* on one but
> unfortunately doesn't send it along (yet):
> 
> $ openssl s_client -host www.twistedmatrix.com -port 443
> CONNECTED(00000003)
> depth=0
> /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd
> dress=postmaster at twistedmatrix.com
> verify error:num=20:unable to get local issuer certificate verify return:1
> depth=0
> /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd
> dress=postmaster at twistedmatrix.com
> verify error:num=27:certificate not trusted verify return:1
> depth=0
> /description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/emailAd
> dress=postmaster at twistedmatrix.com
> verify error:num=21:unable to verify the first certificate verify return:1
> ---
> Certificate chain
>  0
> s:/description=S7lbCt7N2R4t9o8J/C=US/CN=www.twistedmatrix.com/email
> Address=postmaster at twistedmatrix.com
>    i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate
> Signing/CN=StartCom Class 1 Primary Intermediate Server CA
> ---




More information about the Twisted-Python mailing list