Codebase list ocaml-ca-certs / fb7784c
New upstream version 0.2.2 Stephane Glondu 2 years ago
15 changed file(s) with 1391 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+24
-0
.github/workflows/test.yml less more
0 name: ca-certs
1
2 on: [push, pull_request]
3
4 jobs:
5 tests:
6 name: Tests
7
8 strategy:
9 fail-fast: false
10 matrix:
11 ocaml-version: ["4.13.1", "4.12.1", "4.11.2"]
12 operating-system: [macos-latest, ubuntu-latest, windows-latest]
13
14 runs-on: ${{ matrix.operating-system }}
15
16 steps:
17 - name: Checkout code
18 uses: actions/checkout@v2
19
20 - name: Use OCaml ${{ matrix.ocaml-version }}
21 uses: ocaml/setup-ocaml@v2
22 with:
23 ocaml-version: ${{ matrix.ocaml-version }}
+3
-0
.gitignore less more
0 _build
1 _opam
2 .merlin
+2
-0
.ocamlformat less more
0 version = 0.19.0
1 profile=conventional
+37
-0
CHANGES.md less more
0 # v0.2.2 (2021-10-27)
1
2 * Filter trailing certificate (if the data does not contain
3 "-----BEGIN CERTIFICATE-----", it won't be a certificate) (#19 @hannesm)
4 * Avoid deprecated functions from fmt (#19 @hannesm)
5 * Remove rresult dependency (#19 @hannesm)
6 * Update GitHub actions (#19 @hannesm)
7
8 # v0.2.1 (2021-04-22)
9
10 * Update to X.509 0.13.0 API (#18, @hannesm)
11 * Respect NIX_SSL_CERT_FILE environment variable to support NixOS builds
12 (reported by @sternenseemann in #16, fix in #17 by @hannesm)
13
14 # v0.2.0 (2021-03-05)
15
16 * Add Windows support (#14, @emillon)
17
18 # v0.1.3 (2020-11-17)
19
20 * Allow some certificates to fail decoding (#11, reported by @mattpallissard
21 in mirleft/ocaml-x509#137)
22
23 # v0.1.2 (2020-10-12)
24
25 * Revise API, avoid temporary file creation on macos
26
27 # v0.1.1 (2020-10-11)
28
29 * Revise test suite to not connect to the network (to please opam's sandbox),
30 instead use hardcoded certificate chains.
31
32 # v0.1.0 (2020-10-09)
33
34 * Tested on macos, Debian GNU/Linux, Ubuntu, Gentoo, Alpine, CentOS/RHEL 7,
35 OpenSUSE, FreeBSD, OpenBSD
36 * Initial release
+15
-0
LICENSE.md less more
0 ## ISC License
1
2 Copyright (c) 2019, The MirageOS contributors
3
4 Permission to use, copy, modify, and/or distribute this software for any
5 purpose with or without fee is hereby granted, provided that the above
6 copyright notice and this permission notice appear in all copies.
7
8 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+7
-0
README.md less more
0 ## ca-certs - detect root CA certificates from the operating system
1
2 TLS requires a set of root anchors (Certificate Authorities) to authenticate
3 servers. This library exposes this list so that it can be registered with
4 [ocaml-tls].
5
6 [ocaml-tls]: https://github.com/mirleft/ocaml-tls
+49
-0
ca-certs.opam less more
0 version: "0.2.2"
1 # This file is generated by dune, edit dune-project instead
2 opam-version: "2.0"
3 synopsis: "Detect root CA certificates from the operating system"
4 description: """
5 TLS requires a set of root anchors (Certificate Authorities) to
6 authenticate servers. This library exposes this list so that it can be
7 registered with ocaml-tls.
8 """
9 maintainer: ["Etienne Millon <me@emillon.org>"]
10 authors: [
11 "Etienne Millon <me@emillon.org>, Hannes Mehnert <hannes@mehnert.org>"
12 ]
13 license: "ISC"
14 homepage: "https://github.com/mirage/ca-certs"
15 doc: "https://mirage.github.io/ca-certs/doc"
16 bug-reports: "https://github.com/mirage/ca-certs/issues"
17 depends: [
18 "dune" {>= "2.0"}
19 "astring"
20 "bos"
21 "fpath"
22 "ptime"
23 "logs"
24 "mirage-crypto"
25 "x509" {>= "0.13.0"}
26 "ocaml" {>= "4.08.0"}
27 "alcotest" {with-test}
28 "fmt" {with-test & >= "0.8.7"}
29 ]
30 dev-repo: "git+https://github.com/mirage/ca-certs.git"
31 build: [
32 ["dune" "subst"] {dev}
33 [
34 "dune"
35 "build"
36 "-p"
37 name
38 "-j"
39 jobs
40 "@install"
41 "@runtest" {with-test & os != "macos"} # the opam sandbox on macos leads to test failures (ocaml/opam#4389)
42 "@doc" {with-doc}
43 ]
44 ]
45 tags: ["org:mirage"]
46 depexts: [
47 ["ca_root_nss"] {os = "freebsd"}
48 ]
+18
-0
ca-certs.opam.template less more
0 build: [
1 ["dune" "subst"] {dev}
2 [
3 "dune"
4 "build"
5 "-p"
6 name
7 "-j"
8 jobs
9 "@install"
10 "@runtest" {with-test & os != "macos"} # the opam sandbox on macos leads to test failures (ocaml/opam#4389)
11 "@doc" {with-doc}
12 ]
13 ]
14 tags: ["org:mirage"]
15 depexts: [
16 ["ca_root_nss"] {os = "freebsd"}
17 ]
+28
-0
dune-project less more
0 (lang dune 2.0)
1 (name ca-certs)
2 (version v0.2.2)
3
4 (generate_opam_files true)
5 (source (github mirage/ca-certs))
6 (documentation "https://mirage.github.io/ca-certs/doc")
7 (license ISC)
8 (maintainers "Etienne Millon <me@emillon.org>")
9 (authors "Etienne Millon <me@emillon.org>, Hannes Mehnert <hannes@mehnert.org>")
10
11 (package
12 (name ca-certs)
13 (depends
14 astring bos fpath ptime logs mirage-crypto
15 (x509 (>= 0.13.0))
16 (ocaml (>= 4.08.0))
17 (alcotest :with-test)
18 (fmt (and :with-test (>= 0.8.7))))
19 (synopsis "Detect root CA certificates from the operating system")
20 (description
21 "\> TLS requires a set of root anchors (Certificate Authorities) to
22 "\> authenticate servers. This library exposes this list so that it can be
23 "\> registered with ocaml-tls.
24 )
25 ; tags are not included before (lang dune 2.0)
26 ; so an opam template is necessary until then
27 (tags (org:mirage)))
+133
-0
lib/ca_certs.ml less more
0 let src = Logs.Src.create "ca-certs" ~doc:"CA certificates"
1
2 module Log = (val Logs.src_log src : Logs.LOG)
3
4 let issue =
5 {|Please report an issue at https://github.com/mirage/ca-certs, including:
6 - the output of uname -s
7 - the distribution you use
8 - the location of default trust anchors (if known)
9 |}
10
11 let detect_one path =
12 let path' = Fpath.v path in
13 match Bos.OS.Path.exists path' with
14 | Ok true -> Bos.OS.File.read path'
15 | _ ->
16 Error
17 (`Msg
18 ("ca-certs: no trust anchor file found, looked into " ^ path ^ ".\n"
19 ^ issue))
20
21 let detect_list paths =
22 let rec one = function
23 | [] ->
24 Error
25 (`Msg
26 ("ca-certs: no trust anchor file found, looked into "
27 ^ String.concat ", " paths ^ ".\n" ^ issue))
28 | path :: paths -> (
29 match detect_one path with Ok data -> Ok data | Error _ -> one paths)
30 in
31 one paths
32
33 (* from https://golang.org/src/crypto/x509/root_linux.go *)
34 let linux_locations =
35 [
36 (* Debian/Ubuntu/Gentoo etc. *)
37 "/etc/ssl/certs/ca-certificates.crt";
38 (* CentOS/RHEL 7 *)
39 "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem";
40 (* OpenSUSE *)
41 "/etc/ssl/ca-bundle.pem";
42 ]
43
44 (* from https://golang.org/src/crypto/x509/root_bsd.go *)
45 let openbsd_location = "/etc/ssl/cert.pem"
46
47 let freebsd_location = "/usr/local/share/certs/ca-root-nss.crt"
48
49 let macos_keychain_location =
50 "/System/Library/Keychains/SystemRootCertificates.keychain"
51
52 external iter_on_anchors : (string -> unit) -> unit = "ca_certs_iter_on_anchors"
53
54 let get_anchors () =
55 let der_list = ref [] in
56 match
57 iter_on_anchors (fun der_cert ->
58 der_list := Cstruct.of_string der_cert :: !der_list)
59 with
60 | () -> Ok !der_list
61 | exception Failure msg -> Error (`Msg msg)
62
63 let ( let* ) = Result.bind
64
65 let rec map_m f l =
66 match l with
67 | [] -> Ok []
68 | x :: xs ->
69 let* y = f x in
70 let* ys = map_m f xs in
71 Ok (y :: ys)
72
73 (** Load certificates from Windows' ["ROOT"] system certificate store.
74 The C API returns a list of DER-encoded certificates. These are decoded and
75 reencoded as a single PEM certificate. *)
76 let windows_trust_anchors () =
77 let* anchors = get_anchors () in
78 let* cert_list = map_m X509.Certificate.decode_der anchors in
79 Ok (X509.Certificate.encode_pem_multiple cert_list |> Cstruct.to_string)
80
81 let trust_anchors () =
82 if Sys.win32 then windows_trust_anchors ()
83 else
84 (* NixOS is special and sets "NIX_SSL_CERT_FILE" as location during builds *)
85 match Sys.getenv_opt "NIX_SSL_CERT_FILE" with
86 | Some x ->
87 Log.info (fun m -> m "using %s (from NIX_SSL_CERT_FILE)" x);
88 detect_one x
89 | None -> (
90 let cmd = Bos.Cmd.(v "uname" % "-s") in
91 let* os = Bos.OS.Cmd.(run_out cmd |> out_string |> success) in
92 match os with
93 | "FreeBSD" -> detect_one freebsd_location
94 | "OpenBSD" -> detect_one openbsd_location
95 | "Linux" -> detect_list linux_locations
96 | "Darwin" ->
97 let cmd =
98 Bos.Cmd.(
99 v "security" % "find-certificate" % "-a" % "-p"
100 % macos_keychain_location)
101 in
102 Bos.OS.Cmd.(run_out cmd |> out_string |> success)
103 | s -> Error (`Msg ("ca-certs: unknown system " ^ s ^ ".\n" ^ issue)))
104
105 let authenticator ?crls ?allowed_hashes () =
106 let* data = trust_anchors () in
107 let time () = Some (Ptime_clock.now ()) in
108 (* we cannot use decode_pem_multiple since this fails on the first
109 undecodable certificate - while we'd like to stay operational, and ignore
110 some certificates *)
111 let d = "-----" in
112 let sep = d ^ "END CERTIFICATE" ^ d in
113 let certs = Astring.String.cuts ~sep ~empty:false data in
114 let cas =
115 let affix = d ^ "BEGIN CERTIFICATE" ^ d in
116 List.fold_left
117 (fun acc data ->
118 if not (Astring.String.is_infix ~affix data) then acc
119 else
120 let data = data ^ sep in
121 match X509.Certificate.decode_pem (Cstruct.of_string data) with
122 | Ok ca -> ca :: acc
123 | Error (`Msg msg) ->
124 Log.warn (fun m -> m "Failed to decode a trust anchor %s." msg);
125 Log.debug (fun m -> m "Full certificate:@.%s" data);
126 acc)
127 [] certs
128 in
129 let cas = List.rev cas in
130 match cas with
131 | [] -> Error (`Msg ("ca-certs: empty trust anchors.\n" ^ issue))
132 | _ -> Ok (X509.Authenticator.chain_of_trust ?crls ?allowed_hashes ~time cas)
+17
-0
lib/ca_certs.mli less more
0 val authenticator :
1 ?crls:X509.CRL.t list ->
2 ?allowed_hashes:Mirage_crypto.Hash.hash list ->
3 unit ->
4 (X509.Authenticator.t, [> `Msg of string ]) result
5 (** [authenticator ~crls ~allowed_hashes ()] detects the root CAs (trust
6 anchors) in the operating system's trust store using {!trust_anchors}. It
7 constructs an authenticator with the current timestamp {!Ptime_clock.now},
8 and the provided [~crls] and [~allowed_hashes] arguments. The resulting
9 authenticator can be used for {!Tls.Config.client}.
10 Returns [Error `Msg msg] if detection did not succeed. *)
11
12 val trust_anchors : unit -> (string, [> `Msg of string ]) result
13 (** [trust_anchors ()] detects the root CAs (trust anchors) in the operating
14 system's trust store. On Unix systems, if the environment variable
15 [NIX_SSL_CERT_FILE] is set, its value is used as path to the trust anchors.
16 The successful result is a list of pem-encoded X509 certificates. *)
+49
-0
lib/ca_certs_stubs.c less more
0 #include "caml/alloc.h"
1 #include "caml/callback.h"
2 #include "caml/fail.h"
3 #include "caml/memory.h"
4
5 #ifdef _WIN32
6
7 #include <windows.h>
8
9 value ca_certs_iter_on_anchors(value v_f)
10 {
11 CAMLparam1(v_f);
12 CAMLlocal1(v_encoded_cert);
13
14 HCERTSTORE hCertStore = CertOpenSystemStore(0, "ROOT");
15 if (!hCertStore)
16 {
17 caml_failwith("ca_certs_iter_on_anchors: CertOpenSystemStore returned NULL");
18 }
19
20 PCCERT_CONTEXT pCertContext = NULL;
21 while ((pCertContext = CertEnumCertificatesInStore(hCertStore, pCertContext)) != NULL)
22 {
23 if (!(pCertContext->dwCertEncodingType & X509_ASN_ENCODING))
24 {
25 caml_failwith("ca_certs_iter_on_anchors: certificate does not have expected encoding");
26 }
27 v_encoded_cert = caml_alloc_initialized_string(
28 pCertContext->cbCertEncoded,
29 pCertContext->pbCertEncoded);
30 caml_callback(v_f, v_encoded_cert);
31 }
32
33 if (!CertCloseStore(hCertStore, 0))
34 {
35 caml_failwith("ca_certs_iter_on_anchors: CertCloseStore returned an error");
36 }
37
38 CAMLreturn(Val_unit);
39 }
40
41 #else
42
43 value ca_certs_iter_on_anchors(value v_unit)
44 {
45 caml_failwith("ca_certs_iter_on_anchors: only implemented on Windows");
46 }
47
48 #endif
+27
-0
lib/dune less more
0 (library
1 (name ca_certs)
2 (public_name ca-certs)
3 (libraries mirage-crypto x509 astring bos fpath logs ptime.clock.os)
4 (foreign_stubs
5 (language c)
6 (names ca_certs_stubs))
7 (c_library_flags
8 (:include flags.sexp)))
9
10 (rule
11 (target flags.sexp)
12 (enabled_if
13 (= %{os_type} Win32))
14 (action
15 (with-stdout-to
16 %{target}
17 (echo "(:standard -lcrypt32)"))))
18
19 (rule
20 (target flags.sexp)
21 (enabled_if
22 (<> %{os_type} Win32))
23 (action
24 (with-stdout-to
25 %{target}
26 (echo :standard))))
+3
-0
test/dune less more
0 (test
1 (name tests)
2 (libraries ca-certs fmt alcotest))
+979
-0
test/tests.ml less more
0 (* How to add a new test?
1 Execute for a host of interest h:
2 "echo foo | openssl s_client -connect h:443 -showcerts -no_ticket > out.txt"
3 let h_data = {|M-x insert-file out.txt|}
4 Add <h, h_data> either to ok_tests or to err_tests (the expected error is required)
5
6 Please note:
7 - now is set to a static date (below, can be set to other dates in individual tests)
8 - there's no revocation checks
9 *)
10 let now =
11 match Ptime.of_date_time ((2020, 10, 11), ((16, 00, 00), 00)) with
12 | None -> assert false
13 | Some t -> t
14
15 let err =
16 let module M = struct
17 type t = X509.Validation.validation_error
18
19 let pp = X509.Validation.pp_validation_error
20
21 let equal a b = compare a b = 0 (* TODO relies on polymorphic equality *)
22 end in
23 (module M : Alcotest.TESTABLE with type t = M.t)
24
25 let ok =
26 let module M = struct
27 type t = (X509.Certificate.t list * X509.Certificate.t) option
28
29 let pp ppf = function
30 | None -> Fmt.string ppf "none"
31 | Some (chain, _) ->
32 Fmt.(list ~sep:(any ", ") X509.Certificate.pp) ppf chain
33
34 let equal a b =
35 match (a, b) with
36 | None, None -> true
37 | Some (a, _), Some (b, _) ->
38 compare a b = 0 (* TODO relies on polymorphic equality *)
39 | _ -> false
40 end in
41 (module M : Alcotest.TESTABLE with type t = M.t)
42
43 let r = Alcotest.result ok err
44
45 let test_one ?time anchors result host chain () =
46 let time () = match time with None -> Some now | Some t -> Some t
47 and name = Domain_name.to_string host
48 and host = Some host in
49 Alcotest.check r ("test one " ^ name) result
50 (X509.Validation.verify_chain_of_trust ~host ~time ~anchors chain)
51
52 let google =
53 {|
54 CONNECTED(00000003)
55 ---
56 Certificate chain
57 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
58 i:C = US, O = Google Trust Services, CN = GTS CA 1O1
59 -----BEGIN CERTIFICATE-----
60 MIIJcTCCCFmgAwIBAgIRAOzqbxiPVrFyAgAAAAB8NQswDQYJKoZIhvcNAQELBQAw
61 QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
62 MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0yMDA5MjIxNTIyMTlaFw0yMDEyMTUxNTIy
63 MTlaMGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
64 Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRUwEwYDVQQDDAwq
65 Lmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARomdmWq6BlO0yH
66 z9Xb08PTWbhcMw4YF14cQRiDKnigLYp3bGxUCDtu5dAdccM0mqQdzK0cMnYMXqEC
67 2T3Hw647o4IHBzCCBwMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUF
68 BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFEN+puKWN1FY2tdecjOJANtw/Sak
69 MB8GA1UdIwQYMBaAFJjR+G4Q68+b7GCfGJAboOt9Cf0rMGgGCCsGAQUFBwEBBFww
70 WjArBggrBgEFBQcwAYYfaHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMW8xY29yZTAr
71 BggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8xLmNydDCCBMIG
72 A1UdEQSCBLkwggS1ggwqLmdvb2dsZS5jb22CDSouYW5kcm9pZC5jb22CFiouYXBw
73 ZW5naW5lLmdvb2dsZS5jb22CCSouYmRuLmRldoISKi5jbG91ZC5nb29nbGUuY29t
74 ghgqLmNyb3dkc291cmNlLmdvb2dsZS5jb22CGCouZGF0YWNvbXB1dGUuZ29vZ2xl
75 LmNvbYIGKi5nLmNvgg4qLmdjcC5ndnQyLmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22C
76 CiouZ2dwaHQuY26CDiouZ2tlY25hcHBzLmNughYqLmdvb2dsZS1hbmFseXRpY3Mu
77 Y29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUuY2yCDiouZ29vZ2xlLmNvLmlugg4q
78 Lmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28udWuCDyouZ29vZ2xlLmNvbS5hcoIP
79 Ki5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5jb20uYnKCDyouZ29vZ2xlLmNvbS5j
80 b4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2dsZS5jb20udHKCDyouZ29vZ2xlLmNv
81 bS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmVzggsqLmdvb2dsZS5mcoILKi5n
82 b29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdvb2dsZS5ubIILKi5nb29nbGUucGyC
83 CyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBpcy5jb22CDyouZ29vZ2xlYXBpcy5j
84 boIRKi5nb29nbGVjbmFwcHMuY26CFCouZ29vZ2xlY29tbWVyY2UuY29tghEqLmdv
85 b2dsZXZpZGVvLmNvbYIMKi5nc3RhdGljLmNugg0qLmdzdGF0aWMuY29tghIqLmdz
86 dGF0aWNjbmFwcHMuY26CCiouZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmlj
87 LmdzdGF0aWMuY29tggwqLnVyY2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CEyou
88 d2Vhci5na2VjbmFwcHMuY26CFioueW91dHViZS1ub2Nvb2tpZS5jb22CDSoueW91
89 dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CESoueW91dHViZWtpZHMu
90 Y29tggcqLnl0LmJlggsqLnl0aW1nLmNvbYIaYW5kcm9pZC5jbGllbnRzLmdvb2ds
91 ZS5jb22CC2FuZHJvaWQuY29tghtkZXZlbG9wZXIuYW5kcm9pZC5nb29nbGUuY26C
92 HGRldmVsb3BlcnMuYW5kcm9pZC5nb29nbGUuY26CBGcuY2+CCGdncGh0LmNuggxn
93 a2VjbmFwcHMuY26CBmdvby5nbIIUZ29vZ2xlLWFuYWx5dGljcy5jb22CCmdvb2ds
94 ZS5jb22CD2dvb2dsZWNuYXBwcy5jboISZ29vZ2xlY29tbWVyY2UuY29tghhzb3Vy
95 Y2UuYW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5jb22CCnd3dy5nb28uZ2yCCHlv
96 dXR1LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlvbi5jb22CD3lvdXR1
97 YmVraWRzLmNvbYIFeXQuYmUwIQYDVR0gBBowGDAIBgZngQwBAgIwDAYKKwYBBAHW
98 eQIFAzAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLnBraS5nb29nL0dUUzFP
99 MWNvcmUuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAB7dcG+V9aP/xsMYd
100 IxXHuuZXfFeUt2ruvGE6GmnTohwAAAF0tp+GwAAABAMARjBEAiBis68209UqRM3U
101 pdK8YoCfL8BrZY6+i6ORfGmo7neXTQIgSrcPvX7ZqP3uvT5yoJYFjbpZBwY9cwAV
102 W4n9855SnlcAdwDnEvKwN34aYvuOyQxhhPHqezfLVh0RJlvz4PNL8kFUbgAAAXS2
103 n4TVAAAEAwBIMEYCIQCRyG5B5Www1ro7CxWNLULQ96BNxtNTCko0bNCD5MejPQIh
104 AMNe5UO1cbG7u6oaO7/yRUt2O1OSewKoMddtPB1OUBh+MA0GCSqGSIb3DQEBCwUA
105 A4IBAQAN61JzpCZJVRZrpVJIRy6Hn65b0ZDBXTh3x6OpD3X2Y0Q6FRqaQuPUA7xg
106 DUvVnUUpMGsM2ylzUrtvJhSOCb32FU3g9FwVzTif/PRA5qniYRhysR2aa+NxHg5c
107 rua60gExT/oSHeGKpJUXTCTPypF4wJ1YvKOd7pRfNqlGR4Gfb6BVy/YCA3CW/bk0
108 yQ0k99iL/ancn2qGBn4++Z2XWGZHgo5FTvCtFl6ZrK01T+UeqhLp8kQOvyN58WiM
109 S+c/7a4M2GyzJe+niWodeKFY91N0SpBViX8cl0YmIm6CNmJdRt5AA+C/FmLgxh7F
110 wBPEtuosuW+JHwshTHwwylI7tT1x
111 -----END CERTIFICATE-----
112 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
113 i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
114 -----BEGIN CERTIFICATE-----
115 MIIESjCCAzKgAwIBAgINAeO0mqGNiqmBJWlQuDANBgkqhkiG9w0BAQsFADBMMSAw
116 HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
117 U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
118 MTUwMDAwNDJaMEIxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
119 U2VydmljZXMxEzARBgNVBAMTCkdUUyBDQSAxTzEwggEiMA0GCSqGSIb3DQEBAQUA
120 A4IBDwAwggEKAoIBAQDQGM9F1IvN05zkQO9+tN1pIRvJzzyOTHW5DzEZhD2ePCnv
121 UA0Qk28FgICfKqC9EksC4T2fWBYk/jCfC3R3VZMdS/dN4ZKCEPZRrAzDsiKUDzRr
122 mBBJ5wudgzndIMYcLe/RGGFl5yODIKgjEv/SJH/UL+dEaltN11BmsK+eQmMF++Ac
123 xGNhr59qM/9il71I2dN8FGfcddwuaej4bXhp0LcQBbjxMcI7JP0aM3T4I+DsaxmK
124 FsbjzaTNC9uzpFlgOIg7rR25xoynUxv8vNmkq7zdPGHXkxWY7oG9j+JkRyBABk7X
125 rJfoucBZEqFJJSPk7XA0LKW0Y3z5oz2D0c1tJKwHAgMBAAGjggEzMIIBLzAOBgNV
126 HQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1Ud
127 EwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFJjR+G4Q68+b7GCfGJAboOt9Cf0rMB8G
128 A1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYuMDUGCCsGAQUFBwEBBCkwJzAl
129 BggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdvb2cvZ3NyMjAyBgNVHR8EKzAp
130 MCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dzcjIvZ3NyMi5jcmwwPwYDVR0g
131 BDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9wa2kuZ29vZy9y
132 ZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAGoA+Nnn78y6pRjd9XlQWNa7H
133 TgiZ/r3RNGkmUmYHPQq6Scti9PEajvwRT2iWTHQr02fesqOqBY2ETUwgZQ+lltoN
134 FvhsO9tvBCOIazpswWC9aJ9xju4tWDQH8NVU6YZZ/XteDSGU9YzJqPjY8q3MDxrz
135 mqepBCf5o8mw/wJ4a2G6xzUr6Fb6T8McDO22PLRL6u3M4Tzs3A2M1j6bykJYi8wW
136 IRdAvKLWZu/axBVbzYmqmwkm5zLSDW5nIAJbELCQCZwMH56t2Dvqofxs6BBcCFIZ
137 USpxu6x6td0V7SvJCCosirSmIatj/9dSSVDQibet8q/7UK4v4ZUN80atnZz1yg==
138 -----END CERTIFICATE-----
139 ---
140 Server certificate
141 subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = *.google.com
142
143 issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1
144
145 ---
146 No client certificate CA names sent
147 Peer signing digest: SHA256
148 Peer signature type: ECDSA
149 Server Temp Key: X25519, 253 bits
150 ---
151 SSL handshake has read 3832 bytes and written 390 bytes
152 Verification: OK
153 ---
154 New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
155 Server public key is 256 bit
156 Secure Renegotiation IS NOT supported
157 Compression: NONE
158 Expansion: NONE
159 No ALPN negotiated
160 Early data was not sent
161 Verify return code: 0 (ok)
162 ---
163 |}
164
165 let extended_validation_badssl =
166 {|
167 CONNECTED(00000003)
168 ---
169 Certificate chain
170 0 s:businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = California, serialNumber = C2543436, C = US, ST = California, L = Mountain View, O = Mozilla Foundation, CN = extended-validation.badssl.com
171 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
172 -----BEGIN CERTIFICATE-----
173 MIIHZDCCBkygAwIBAgIQDtsxL6s4mGkViYnesbc/1zANBgkqhkiG9w0BAQsFADB1
174 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
175 d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
176 IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTIwMDYyMzAwMDAwMFoXDTIyMDgxMDEy
177 MDAwMFowgeQxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
178 BAGCNzwCAQMTAlVTMRswGQYLKwYBBAGCNzwCAQITCkNhbGlmb3JuaWExETAPBgNV
179 BAUTCEMyNTQzNDM2MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEW
180 MBQGA1UEBxMNTW91bnRhaW4gVmlldzEbMBkGA1UEChMSTW96aWxsYSBGb3VuZGF0
181 aW9uMScwJQYDVQQDEx5leHRlbmRlZC12YWxpZGF0aW9uLmJhZHNzbC5jb20wggEi
182 MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtc
183 qGhJsCK1+ZWesSssdj5swEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5Q
184 N6ZnHGGM9kFCxUbTFocnn3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9g
185 lUp3aznxJNExtt1NwMT8U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+
186 WqIW3GmxV0TbChKr3sMPR3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII
187 2YxXhFOBBcvm/mtUmEAnhccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMB
188 AAGjggN+MIIDejAfBgNVHSMEGDAWgBQ901Cl1qCt7vNKYApl0yHU+PjWDzAdBgNV
189 HQ4EFgQUne7Be4ELOkdpcRh9ETeTvKUbP/swKQYDVR0RBCIwIIIeZXh0ZW5kZWQt
190 dmFsaWRhdGlvbi5iYWRzc2wuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
191 BggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0cDovL2Ny
192 bDMuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcyLmNybDA0oDKgMIYuaHR0
193 cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItZXYtc2VydmVyLWcyLmNybDBLBgNV
194 HSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
195 aWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMIGIBggrBgEFBQcBAQR8MHowJAYIKwYB
196 BQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBSBggrBgEFBQcwAoZGaHR0
197 cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkV4dGVuZGVkVmFs
198 aWRhdGlvblNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIBfwYKKwYBBAHWeQIE
199 AgSCAW8EggFrAWkAdgApeb7wnjk5IfBWc59jpXflvld9nGAK+PlNXSZcJV3HhAAA
200 AXLhwe8uAAAEAwBHMEUCIQC5/b5wmGbMOkgH/GupRPFXZ29CaGG8JQMFkjzgBz8n
201 owIgZQwjhH6rH8lbUX9y3+DLPyUJMA6JXy+18kKQ90JzanIAdwAiRUUHWVUkVpY/
202 oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXLhwe84AAAEAwBIMEYCIQCI7jirWHoe
203 G5VW0FDM7MkB2pkUyi2RzM9JDFZ5HXfGJwIhAMWSFJKM57x+bFVfOJkqz3V0vDI/
204 nywkI96DpHE7tIDdAHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYA
205 AAFy4cHu+gAABAMARzBFAiASe/ZlNY2nqmcLX6hnjXu7exSER/BmhAVKHexAeGwU
206 dgIhAJunm2S4Hyz/ofuz4Cs98PknztPlRY3gSxO+ay8lr7XkMA0GCSqGSIb3DQEB
207 CwUAA4IBAQB0ZpWayltbvblCxkb/KI/UptbKSPex2C8HosV0cXZLdzkAa9UA9Vdg
208 IYNfkqVUpZH6Z3b7jtyZIUE7Thtcmglmm/OcPeLYOmO6L27T3igni2+b5mlj7L00
209 PjWsRforHnD7B+q8KnIpdLs4pJc/0hHK2yn11utAOgn+jnBXs3xoRxKYC+nXWM3C
210 Syhq4B+z/4clh3Mq+Jgse9h50uRf9bmn+n/TxCcfeiDdgY5Z2KNy+nPrP78Jhpl9
211 f8N6Kv+K8Mm398q8iHyM14V6o0VdrQUTr8ZmEa/KmRAL+eMRzbEZg+YlIyn9qQAy
212 A5GhqEwE29Z5Knslx7CvNEO9xV3CByfS
213 -----END CERTIFICATE-----
214 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
215 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
216 -----BEGIN CERTIFICATE-----
217 MIIEtjCCA56gAwIBAgIQDHmpRLCMEZUgkmFf4msdgzANBgkqhkiG9w0BAQsFADBs
218 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
219 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
220 ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowdTEL
221 MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
222 LmRpZ2ljZXJ0LmNvbTE0MDIGA1UEAxMrRGlnaUNlcnQgU0hBMiBFeHRlbmRlZCBW
223 YWxpZGF0aW9uIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
224 ggEBANdTpARR+JmmFkhLZyeqk0nQOe0MsLAAh/FnKIaFjI5j2ryxQDji0/XspQUY
225 uD0+xZkXMuwYjPrxDKZkIYXLBxA0sFKIKx9om9KxjxKws9LniB8f7zh3VFNfgHk/
226 LhqqqB5LKw2rt2O5Nbd9FLxZS99RStKh4gzikIKHaq7q12TWmFXo/a8aUGxUvBHy
227 /Urynbt/DvTVvo4WiRJV2MBxNO723C3sxIclho3YIeSwTQyJ3DkmF93215SF2AQh
228 cJ1vb/9cuhnhRctWVyh+HA1BV6q3uCe7seT6Ku8hI3UarS2bhjWMnHe1c63YlC3k
229 8wyd7sFOYn4XwHGeLN7x+RAoGTMCAwEAAaOCAUkwggFFMBIGA1UdEwEB/wQIMAYB
230 Af8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
231 BQcDAjA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
232 Z2ljZXJ0LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsNC5kaWdpY2Vy
233 dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2
234 MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5j
235 b20vQ1BTMB0GA1UdDgQWBBQ901Cl1qCt7vNKYApl0yHU+PjWDzAfBgNVHSMEGDAW
236 gBSxPsNpA/i/RwHUmCYaCALvY2QrwzANBgkqhkiG9w0BAQsFAAOCAQEAnbbQkIbh
237 hgLtxaDwNBx0wY12zIYKqPBKikLWP8ipTa18CK3mtlC4ohpNiAexKSHc59rGPCHg
238 4xFJcKx6HQGkyhE6V6t9VypAdP3THYUYUN9XR3WhfVUgLkc3UHKMf4Ib0mKPLQNa
239 2sPIoc4sUqIAY+tzunHISScjl2SFnjgOrWNoPLpSgVh5oywM395t6zHyuqB8bPEs
240 1OG9d4Q3A84ytciagRpKkk47RpqF/oOi+Z6Mo8wNXrM9zwR4jxQUezKcxwCmXMS1
241 oVWNWlZopCJwqjyBcdmdqEU79OX2olHdx3ti6G8MdOu42vi/hw15UJGQmxg7kVkn
242 8TUoE6smftX3eg==
243 -----END CERTIFICATE-----
244 ---
245 Server certificate
246 subject=businessCategory = Private Organization, jurisdictionC = US, jurisdictionST = California, serialNumber = C2543436, C = US, ST = California, L = Mountain View, O = Mozilla Foundation, CN = extended-validation.badssl.com
247
248 issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 Extended Validation Server CA
249
250 ---
251 No client certificate CA names sent
252 Peer signing digest: SHA512
253 Peer signature type: RSA
254 Server Temp Key: ECDH, P-256, 256 bits
255 ---
256 SSL handshake has read 3620 bytes and written 456 bytes
257 Verification: OK
258 ---
259 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
260 Server public key is 2048 bit
261 Secure Renegotiation IS supported
262 Compression: NONE
263 Expansion: NONE
264 No ALPN negotiated
265 SSL-Session:
266 Protocol : TLSv1.2
267 Cipher : ECDHE-RSA-AES128-GCM-SHA256
268 Session-ID: 23F7C5ED976C5282E0560451480503D57BDA046969A848546C71191842D7613E
269 Session-ID-ctx:
270 Master-Key: BEF4C35CC73EB08048FCAFA254DECE26E7A8A6841EC829D1B7F20E011F757E234E188B8B8C4948BF6762658D46E7C5D3
271 PSK identity: None
272 PSK identity hint: None
273 SRP username: None
274 Start Time: 1602435414
275 Timeout : 7200 (sec)
276 Verify return code: 0 (ok)
277 Extended master secret: no
278 ---
279 |}
280
281 let ok_tests =
282 [
283 ("google.com", google);
284 ("extended-validation.badssl.com", extended_validation_badssl);
285 ]
286
287 let self_signed_badssl =
288 {|
289 CONNECTED(00000003)
290 ---
291 Certificate chain
292 0 s:C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
293 i:C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
294 -----BEGIN CERTIFICATE-----
295 MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
296 BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
297 c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x
298 OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
299 VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
300 DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
301 BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
302 PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
303 hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
304 xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
305 ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
306 QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
307 BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
308 hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95
309 w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A
310 vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI
311 iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe
312 wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW
313 EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk=
314 -----END CERTIFICATE-----
315 ---
316 Server certificate
317 subject=C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
318
319 issuer=C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
320
321 ---
322 No client certificate CA names sent
323 Peer signing digest: SHA512
324 Peer signature type: RSA
325 Server Temp Key: ECDH, P-256, 256 bits
326 ---
327 SSL handshake has read 1404 bytes and written 448 bytes
328 Verification error: self signed certificate
329 ---
330 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
331 Server public key is 2048 bit
332 Secure Renegotiation IS supported
333 Compression: NONE
334 Expansion: NONE
335 No ALPN negotiated
336 SSL-Session:
337 Protocol : TLSv1.2
338 Cipher : ECDHE-RSA-AES128-GCM-SHA256
339 Session-ID: F6A1E369801FDF644904D6E4C4E1E29E9448CD8E0FDE574B9F42B9B026FA25BF
340 Session-ID-ctx:
341 Master-Key: 90E3C3917FFE81FD81E05C0E2398499C1AC58C81F8D6B35AD7A3F2450F8B89BFF62710A3AC9AFD1378FADD8AD8EB79E0
342 PSK identity: None
343 PSK identity hint: None
344 SRP username: None
345 Start Time: 1602434632
346 Timeout : 7200 (sec)
347 Verify return code: 18 (self signed certificate)
348 Extended master secret: no
349 ---
350 |}
351
352 let expired_badssl =
353 {|
354 CONNECTED(00000003)
355 ---
356 Certificate chain
357 0 s:OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.badssl.com
358 i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
359 -----BEGIN CERTIFICATE-----
360 MIIFSzCCBDOgAwIBAgIQSueVSfqavj8QDxekeOFpCTANBgkqhkiG9w0BAQsFADCB
361 kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
362 A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
363 BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
364 QTAeFw0xNTA0MDkwMDAwMDBaFw0xNTA0MTIyMzU5NTlaMFkxITAfBgNVBAsTGERv
365 bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls
366 ZGNhcmQxFTATBgNVBAMUDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
367 ggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2PmzA
368 S2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMWhyef
369 dOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3AxPxT
370 uW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqveww9H
371 dFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SYQCeF
372 xxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaOCAdUwggHRMB8GA1Ud
373 IwQYMBaAFJCvajqUWgvYkOoSVnPfQ7Q6KNrnMB0GA1UdDgQWBBSd7sF7gQs6R2lx
374 GH0RN5O8pRs/+zAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
375 FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgwRjA6BgsrBgEEAbIxAQIC
376 BzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAI
377 BgZngQwBAgEwVAYDVR0fBE0wSzBJoEegRYZDaHR0cDovL2NybC5jb21vZG9jYS5j
378 b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCB
379 hQYIKwYBBQUHAQEEeTB3ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LmNvbW9kb2Nh
380 LmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0
381 MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIwYDVR0RBBww
382 GoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBq
383 evHa/wMHcnjFZqFPRkMOXxQhjHUa6zbgH6QQFezaMyV8O7UKxwE4PSf9WNnM6i1p
384 OXy+l+8L1gtY54x/v7NMHfO3kICmNnwUW+wHLQI+G1tjWxWrAPofOxkt3+IjEBEH
385 fnJ/4r+3ABuYLyw/zoWaJ4wQIghBK4o+gk783SHGVnRwpDTysUCeK1iiWQ8dSO/r
386 ET7BSp68ZVVtxqPv1dSWzfGuJ/ekVxQ8lEEFeouhN0fX9X3c+s5vMaKwjOrMEpsi
387 8TRwz311SotoKQwe6Zaoz7ASH1wq7mcvf71z81oBIgxw+s1F73hczg36TuHvzmWf
388 RwxPuzZEaFZcVlmtqoq8
389 -----END CERTIFICATE-----
390 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
391 i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
392 -----BEGIN CERTIFICATE-----
393 MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
394 hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
395 A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
396 BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
397 MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
398 EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
399 Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
400 bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
401 ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
402 bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
403 Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
404 ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
405 UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
406 c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
407 MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
408 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
409 HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
410 BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
411 bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
412 AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
413 T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
414 ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
415 mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
416 e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
417 P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
418 dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
419 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
420 V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
421 HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
422 j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
423 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
424 lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
425 +AZxAeKCINT+b72x
426 -----END CERTIFICATE-----
427 2 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
428 i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
429 -----BEGIN CERTIFICATE-----
430 MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
431 MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
432 ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
433 eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
434 gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
435 BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
436 VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
437 hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
438 AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
439 2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
440 ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
441 4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
442 m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
443 vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
444 8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
445 IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
446 KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
447 GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
448 s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
449 JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
450 AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
451 MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
452 bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
453 Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
454 zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
455 Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
456 Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
457 B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
458 PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
459 pu/xO28QOG8=
460 -----END CERTIFICATE-----
461 ---
462 Server certificate
463 subject=OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.badssl.com
464
465 issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
466
467 ---
468 No client certificate CA names sent
469 Peer signing digest: SHA512
470 Peer signature type: RSA
471 Server Temp Key: ECDH, P-256, 256 bits
472 ---
473 SSL handshake has read 4824 bytes and written 444 bytes
474 Verification error: certificate has expired
475 ---
476 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
477 Server public key is 2048 bit
478 Secure Renegotiation IS supported
479 Compression: NONE
480 Expansion: NONE
481 No ALPN negotiated
482 SSL-Session:
483 Protocol : TLSv1.2
484 Cipher : ECDHE-RSA-AES128-GCM-SHA256
485 Session-ID: 0E3D5C358767788B8935538CE2B86C4E7D0B932FC3A91153B45A698FF43E6313
486 Session-ID-ctx:
487 Master-Key: B2B26F72CE2275A7BBF8D2EF170088E7FC98E83619009725FA07E5A3CD8B2E2B7AB36AD7DE63B2B31F649B7771E553EE
488 PSK identity: None
489 PSK identity hint: None
490 SRP username: None
491 Start Time: 1602434992
492 Timeout : 7200 (sec)
493 Verify return code: 10 (certificate has expired)
494 Extended master secret: no
495 ---
496 |}
497
498 let untrusted_root_badssl =
499 {|
500 CONNECTED(00000003)
501 ---
502 Certificate chain
503 0 s:C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
504 i:C = US, ST = California, L = San Francisco, O = BadSSL, CN = BadSSL Untrusted Root Certificate Authority
505 -----BEGIN CERTIFICATE-----
506 MIIEmTCCAoGgAwIBAgIJAOywCwT04S08MA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
507 VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
508 aXNjbzEPMA0GA1UECgwGQmFkU1NMMTQwMgYDVQQDDCtCYWRTU0wgVW50cnVzdGVk
509 IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTAwOTIzMDg1MFoXDTIx
510 MTAwODIzMDg1MFowYjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx
511 FjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkJhZFNTTDEVMBMGA1UE
512 AwwMKi5iYWRzc2wuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
513 wgTs+IzuBMKz2FDVcFjMkxjrXKhoSbAitfmVnrErLHY+bMBLYExM6rK0wA+AtrD5
514 csmGAvlcQV0TK39xxEu86ZQuUDemZxxhjPZBQsVG0xaHJ5906wqdEVImIXNshEx5
515 VeTRa+gGPUgVUq2zKNuq/27/YJVKd2s58STRMbbdTcDE/FO5bUKttXz+rvUV0jNI
516 5yJxx8IUemwo6jdK3+pstXK0flqiFtxpsVdE2woSq97DD0d0XEEi4Zr5G5PmrSIG
517 KS6xukkcDCeeo/uL90ByAKySCNmMV4RTgQXL5v5rVJhAJ4XHELtzcO9pGEEHRVV8
518 +WQ/PSzDqXzrkxpMhtHKhQIDAQABozIwMDAJBgNVHRMEAjAAMCMGA1UdEQQcMBqC
519 DCouYmFkc3NsLmNvbYIKYmFkc3NsLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAhU5h
520 jESEo1M5HCTHYlC1EkoxRG+bBLaYtiDsJl3HwlhtYx+r03UvWrwJ7QXhjda1G9fC
521 313JBLtrainBgjgJXPDHW5fmYaTmNExo7i3d+OunalwS97RQKsFtY/c+CJhYgv25
522 8/TOkKhg7uvV/31Uac0cIW9qH7lulE0cBymtbmWvR7sBRjD+P1hU58AULAGyMhBw
523 ijGBGTqHP2tRb6oMLF+iC0Ej2Eho2qloKdoYaNFivBYPMrWBk8YBGKdKOYv12Kpy
524 AmWhkR+x4UYPIGzPXUcFz2685E0bxoVJq0+TTXaiyjPeQ9fSgsXxeGx37g9lQ4iA
525 uZb1qs/MiaVz1dQ7bXGtTQbpSkLjJtRF8Toh0/oJPeM9GGoMPswqcGDTE/wqhD2j
526 tSl5//9kgviVVCKLNbARDJ0ikpnkhB/2K37pz9of+ltYCVHc58cCFfgmCwZfl1nJ
527 Zyd36FfAlATZAG2V+5JE/oir6ggPN/f1Zs21wSTejpunkDaNqWZutYalmpg1hsq8
528 76RNkfxtkONIubPUI90ymmJ7h6l8YPmuV+J/CE7LzDVAU51+uvFjtPNvEmJPRfug
529 rXmQ974mtlnvQfhb+Z3WmERgczbQCSN6C/j6+U86KrUqYcALf5rkX9cVJ1qMp0XS
530 6/5tfSQQuvJ7vzHVdo0OWQ7IOaSnVVV/cXQjkB4=
531 -----END CERTIFICATE-----
532 1 s:C = US, ST = California, L = San Francisco, O = BadSSL, CN = BadSSL Untrusted Root Certificate Authority
533 i:C = US, ST = California, L = San Francisco, O = BadSSL, CN = BadSSL Untrusted Root Certificate Authority
534 -----BEGIN CERTIFICATE-----
535 MIIGfjCCBGagAwIBAgIJAJeg/PrX5Sj9MA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD
536 VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5j
537 aXNjbzEPMA0GA1UECgwGQmFkU1NMMTQwMgYDVQQDDCtCYWRTU0wgVW50cnVzdGVk
538 IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDcwNzA2MzEzNVoXDTM2
539 MDcwMjA2MzEzNVowgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
540 MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQKDAZCYWRTU0wxNDAyBgNV
541 BAMMK0JhZFNTTCBVbnRydXN0ZWQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkw
542 ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKQtPMhEH073gis/HISWAi
543 bOEpCtOsatA3JmeVbaWal8O/5ZO5GAn9dFVsGn0CXAHR6eUKYDAFJLa/3AhjBvWa
544 tnQLoXaYlCvBjodjLEaFi8ckcJHrAYG9qZqioRQ16Yr8wUTkbgZf+er/Z55zi1yn
545 CnhWth7kekvrwVDGP1rApeLqbhYCSLeZf5W/zsjLlvJni9OrU7U3a9msvz8mcCOX
546 fJX9e3VbkD/uonIbK2SvmAGMaOj/1k0dASkZtMws0Bk7m1pTQL+qXDM/h3BQZJa5
547 DwTcATaa/Qnk6YHbj/MaS5nzCSmR0Xmvs/3CulQYiZJ3kypns1KdqlGuwkfiCCgD
548 yWJy7NE9qdj6xxLdqzne2DCyuPrjFPS0mmYimpykgbPnirEPBF1LW3GJc9yfhVXE
549 Cc8OY8lWzxazDNNbeSRDpAGbBeGSQXGjAbliFJxwLyGzZ+cG+G8lc+zSvWjQu4Xp
550 GJ+dOREhQhl+9U8oyPX34gfKo63muSgo539hGylqgQyzj+SX8OgK1FXXb2LS1gxt
551 VIR5Qc4MmiEG2LKwPwfU8Yi+t5TYjGh8gaFv6NnksoX4hU42gP5KvjYggDpR+NSN
552 CGQSWHfZASAYDpxjrOo+rk4xnO+sbuuMk7gORsrl+jgRT8F2VqoR9Z3CEdQxcCjR
553 5FsfTymZCk3GfIbWKkaeLQIDAQABo4H2MIHzMB0GA1UdDgQWBBRvx4NzSbWnY/91
554 3m1u/u37l6MsADCBtgYDVR0jBIGuMIGrgBRvx4NzSbWnY/913m1u/u37l6MsAKGB
555 h6SBhDCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNV
556 BAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoMBkJhZFNTTDE0MDIGA1UEAwwrQmFk
557 U1NMIFVudHJ1c3RlZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eYIJAJeg/PrX
558 5Sj9MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IC
559 AQBQU9U8+jTRT6H9AIFm6y50tXTg/ySxRNmeP1Ey9Zf4jUE6yr3Q8xBv9gTFLiY1
560 qW2qfkDSmXVdBkl/OU3+xb5QOG5hW7wVolWQyKREV5EvUZXZxoH7LVEMdkCsRJDK
561 wYEKnEErFls5WPXY3bOglBOQqAIiuLQ0f77a2HXULDdQTn5SueW/vrA4RJEKuWxU
562 iD9XPnVZ9tPtky2Du7wcL9qhgTddpS/NgAuLO4PXh2TQ0EMCll5reZ5AEr0NSLDF
563 c/koDv/EZqB7VYhcPzr1bhQgbv1dl9NZU0dWKIMkRE/T7vZ97I3aPZqIapC2ulrf
564 KrlqjXidwrGFg8xbiGYQHPx3tHPZxoM5WG2voI6G3s1/iD+B4V6lUEvivd3f6tq7
565 d1V/3q1sL5DNv7TvaKGsq8g5un0TAkqaewJQ5fXLigF/yYu5a24/GUD783MdAPFv
566 gWz8F81evOyRfpf9CAqIswMF+T6Dwv3aw5L9hSniMrblkg+ai0K22JfoBcGOzMtB
567 Ke/Ps2Za56dTRoY/a4r62hrcGxufXd0mTdPaJLw3sJeHYjLxVAYWQq4QKJQWDgTS
568 dAEWyN2WXaBFPx5c8KIW95Eu8ShWE00VVC3oA4emoZ2nrzBXLrUScifY6VaYYkkR
569 2O2tSqU8Ri3XRdgpNPDWp8ZL49KhYGYo3R/k98gnMHiY5g==
570 -----END CERTIFICATE-----
571 ---
572 Server certificate
573 subject=C = US, ST = California, L = San Francisco, O = BadSSL, CN = *.badssl.com
574
575 issuer=C = US, ST = California, L = San Francisco, O = BadSSL, CN = BadSSL Untrusted Root Certificate Authority
576
577 ---
578 No client certificate CA names sent
579 Peer signing digest: SHA512
580 Peer signature type: RSA
581 Server Temp Key: ECDH, P-256, 256 bits
582 ---
583 SSL handshake has read 3361 bytes and written 451 bytes
584 Verification error: self signed certificate in certificate chain
585 ---
586 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
587 Server public key is 2048 bit
588 Secure Renegotiation IS supported
589 Compression: NONE
590 Expansion: NONE
591 No ALPN negotiated
592 SSL-Session:
593 Protocol : TLSv1.2
594 Cipher : ECDHE-RSA-AES128-GCM-SHA256
595 Session-ID: 649A3C21016DC17582243CEA5FF0E4A66E44261F2193BE54C11FAB1EE0CCBB9B
596 Session-ID-ctx:
597 Master-Key: 4D6B719C876D3025D6C7BD3EA00D0EDE1D026C4A94713AAE19C170ABFF800FC0EE5FB6C4478BB5C9375A51E69D29BC45
598 PSK identity: None
599 PSK identity hint: None
600 SRP username: None
601 Start Time: 1602435337
602 Timeout : 7200 (sec)
603 Verify return code: 19 (self signed certificate in certificate chain)
604 Extended master secret: no
605 ---
606 |}
607
608 let wrong_host_badssl =
609 {|
610 CONNECTED(00000003)
611 ---
612 Certificate chain
613 0 s:C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
614 i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
615 -----BEGIN CERTIFICATE-----
616 MIIGqDCCBZCgAwIBAgIQCvBs2jemC2QTQvCh6x1Z/TANBgkqhkiG9w0BAQsFADBN
617 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
618 aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMzIzMDAwMDAwWhcN
619 MjIwNTE3MTIwMDAwWjBuMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
620 YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
621 VG9ycmVzMRUwEwYDVQQDDAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
622 A4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5s
623 wEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocn
624 n3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8
625 U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMP
626 R3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAn
627 hccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjggNhMIIDXTAfBgNV
628 HSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUne7Be4ELOkdp
629 cRh9ETeTvKUbP/swIwYDVR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29t
630 MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
631 awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et
632 c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh
633 LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
634 AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsG
635 AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
636 MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
637 cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE
638 AdZ5AgQCBIIBbgSCAWoBaAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO
639 HtGFAAABcQhGXioAAAQDAEcwRQIgDfWVBXEuUZC2YP4Si3AQDidHC4U9e5XTGyG7
640 SFNDlRkCIQCzikrA1nf7boAdhvaGu2Vkct3VaI+0y8p3gmonU5d9DwB2ACJFRQdZ
641 VSRWlj+hL/H3bYbgIyZjrcBLf13Gg1xu4g8CAAABcQhGXlsAAAQDAEcwRQIhAMWi
642 Vsi2vYdxRCRsu/DMmCyhY0iJPKHE2c6ejPycIbgqAiAs3kSSS0NiUFiHBw7QaQ/s
643 GO+/lNYvjExlzVUWJbgNLwB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7U
644 iwXlAAABcQhGXnoAAAQDAEcwRQIgKsntiBqt8Au8DAABFkxISELhP3U/wb5lb76p
645 vfenWL0CIQDr2kLhCWP/QUNxXqGmvr1GaG9EuokTOLEnGPhGv1cMkDANBgkqhkiG
646 9w0BAQsFAAOCAQEA0RGxlwy3Tl0lhrUAn2mIi8LcZ9nBUyfAcCXCtYyCdEbjIP64
647 xgX6pzTt0WJoxzlT+MiK6fc0hECZXqpkTNVTARYtGkJoljlTK2vAdHZ0SOpm9OT4
648 RLfjGnImY0hiFbZ/LtsvS2Zg7cVJecqnrZe/za/nbDdljnnrll7C8O5naQuKr4te
649 uice3e8a4TtviFwS/wdDnJ3RrE83b1IljILbU5SV0X1NajyYkUWS7AnOmrFUUByz
650 MwdGrM6kt0lfJy/gvGVsgIKZocHdedPeECqAtq7FAJYanOsjNN9RbBOGhbwq0/FP
651 CC01zojqS10nGowxzOiqyB4m6wytmzf0QwjpMw==
652 -----END CERTIFICATE-----
653 1 s:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
654 i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
655 -----BEGIN CERTIFICATE-----
656 MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
657 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
658 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
659 QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
660 MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
661 U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
662 ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
663 nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
664 KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
665 /ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
666 kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
667 /RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
668 AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
669 aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
670 Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
671 oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
672 QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
673 d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
674 xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
675 CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
676 5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
677 8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
678 2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
679 c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
680 j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
681 -----END CERTIFICATE-----
682 ---
683 Server certificate
684 subject=C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
685
686 issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
687
688 ---
689 No client certificate CA names sent
690 Peer signing digest: SHA512
691 Peer signature type: RSA
692 Server Temp Key: ECDH, P-256, 256 bits
693 ---
694 SSL handshake has read 3398 bytes and written 447 bytes
695 Verification: OK
696 ---
697 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
698 Server public key is 2048 bit
699 Secure Renegotiation IS supported
700 Compression: NONE
701 Expansion: NONE
702 No ALPN negotiated
703 SSL-Session:
704 Protocol : TLSv1.2
705 Cipher : ECDHE-RSA-AES128-GCM-SHA256
706 Session-ID: 3E96EF49E031153871907BFA4362E9AAD79785ED70996B1750AC7FB2004AA85D
707 Session-ID-ctx:
708 Master-Key: 67084AF570632BD11B554FF000D5F67A34923BF512D9AE20E57627C6C8FACF80FA6D74A9298BEE5C908F72666813F2CC
709 PSK identity: None
710 PSK identity hint: None
711 SRP username: None
712 Start Time: 1602435542
713 Timeout : 7200 (sec)
714 Verify return code: 0 (ok)
715 Extended master secret: no
716 ---
717 |}
718
719 let incomplete_chain_badssl =
720 {|
721 CONNECTED(00000003)
722 ---
723 Certificate chain
724 0 s:C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
725 i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
726 -----BEGIN CERTIFICATE-----
727 MIIGqDCCBZCgAwIBAgIQCvBs2jemC2QTQvCh6x1Z/TANBgkqhkiG9w0BAQsFADBN
728 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
729 aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMzIzMDAwMDAwWhcN
730 MjIwNTE3MTIwMDAwWjBuMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
731 YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
732 VG9ycmVzMRUwEwYDVQQDDAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
733 A4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5s
734 wEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocn
735 n3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8
736 U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMP
737 R3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAn
738 hccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjggNhMIIDXTAfBgNV
739 HSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUne7Be4ELOkdp
740 cRh9ETeTvKUbP/swIwYDVR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29t
741 MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
742 awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et
743 c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh
744 LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
745 AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsG
746 AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
747 MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
748 cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE
749 AdZ5AgQCBIIBbgSCAWoBaAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO
750 HtGFAAABcQhGXioAAAQDAEcwRQIgDfWVBXEuUZC2YP4Si3AQDidHC4U9e5XTGyG7
751 SFNDlRkCIQCzikrA1nf7boAdhvaGu2Vkct3VaI+0y8p3gmonU5d9DwB2ACJFRQdZ
752 VSRWlj+hL/H3bYbgIyZjrcBLf13Gg1xu4g8CAAABcQhGXlsAAAQDAEcwRQIhAMWi
753 Vsi2vYdxRCRsu/DMmCyhY0iJPKHE2c6ejPycIbgqAiAs3kSSS0NiUFiHBw7QaQ/s
754 GO+/lNYvjExlzVUWJbgNLwB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7U
755 iwXlAAABcQhGXnoAAAQDAEcwRQIgKsntiBqt8Au8DAABFkxISELhP3U/wb5lb76p
756 vfenWL0CIQDr2kLhCWP/QUNxXqGmvr1GaG9EuokTOLEnGPhGv1cMkDANBgkqhkiG
757 9w0BAQsFAAOCAQEA0RGxlwy3Tl0lhrUAn2mIi8LcZ9nBUyfAcCXCtYyCdEbjIP64
758 xgX6pzTt0WJoxzlT+MiK6fc0hECZXqpkTNVTARYtGkJoljlTK2vAdHZ0SOpm9OT4
759 RLfjGnImY0hiFbZ/LtsvS2Zg7cVJecqnrZe/za/nbDdljnnrll7C8O5naQuKr4te
760 uice3e8a4TtviFwS/wdDnJ3RrE83b1IljILbU5SV0X1NajyYkUWS7AnOmrFUUByz
761 MwdGrM6kt0lfJy/gvGVsgIKZocHdedPeECqAtq7FAJYanOsjNN9RbBOGhbwq0/FP
762 CC01zojqS10nGowxzOiqyB4m6wytmzf0QwjpMw==
763 -----END CERTIFICATE-----
764 ---
765 Server certificate
766 subject=C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
767
768 issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
769
770 ---
771 No client certificate CA names sent
772 Peer signing digest: SHA512
773 Peer signature type: RSA
774 Server Temp Key: ECDH, P-256, 256 bits
775 ---
776 SSL handshake has read 2219 bytes and written 453 bytes
777 Verification error: unable to verify the first certificate
778 ---
779 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
780 Server public key is 2048 bit
781 Secure Renegotiation IS supported
782 Compression: NONE
783 Expansion: NONE
784 No ALPN negotiated
785 SSL-Session:
786 Protocol : TLSv1.2
787 Cipher : ECDHE-RSA-AES128-GCM-SHA256
788 Session-ID: 3A7DBDAC0199C67176A6191BC6ACC812FF469163BD550FCC0AC4CD7190C4980D
789 Session-ID-ctx:
790 Master-Key: A45673CF402FD94CD1B0F4FF96DE8C2651B1DCDC230570AC62ACDAA7BF5D9235D1B66F9FBE4FFBE2746CF61935D5DB9D
791 PSK identity: None
792 PSK identity hint: None
793 SRP username: None
794 Start Time: 1602435786
795 Timeout : 7200 (sec)
796 Verify return code: 21 (unable to verify the first certificate)
797 Extended master secret: no
798 ---
799 |}
800
801 let sha1_intermediate_badssl =
802 {|
803 CONNECTED(00000003)
804 ---
805 Certificate chain
806 0 s:OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.badssl.com
807 i:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO SSL CA
808 -----BEGIN CERTIFICATE-----
809 MIIE8TCCA9mgAwIBAgIRAL4AQmnXWHlXEDwE56pO2LIwDQYJKoZIhvcNAQELBQAw
810 cDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
811 A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxFjAUBgNV
812 BAMTDUNPTU9ETyBTU0wgQ0EwHhcNMTcwNDEzMDAwMDAwWhcNMjAwNTMwMjM1OTU5
813 WjBYMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxHDAaBgNVBAsT
814 E0NPTU9ETyBTU0wgV2lsZGNhcmQxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIw
815 DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yo
816 aEmwIrX5lZ6xKyx2PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3
817 pmccYYz2QULFRtMWhyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CV
818 SndrOfEk0TG23U3AxPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5a
819 ohbcabFXRNsKEqveww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZ
820 jFeEU4EFy+b+a1SYQCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEA
821 AaOCAZwwggGYMB8GA1UdIwQYMBaAFBtrvR+KSRiUVDdVtCAX7Te5dxh9MB0GA1Ud
822 DgQWBBSd7sF7gQs6R2lxGH0RN5O8pRs/+zAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0T
823 AQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTwYDVR0gBEgw
824 RjA6BgsrBgEEAbIxAQICBzArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5j
825 b21vZG8uY29tL0NQUzAIBgZngQwBAgEwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDov
826 L2NybC5jb21vZG9jYS5jb20vQ09NT0RPU1NMQ0EuY3JsMGkGCCsGAQUFBwEBBF0w
827 WzAzBggrBgEFBQcwAoYnaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPU1NM
828 Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wIwYD
829 VR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29tMA0GCSqGSIb3DQEBCwUA
830 A4IBAQCjAoXzYKLon9rpcYVKD1Y3zvIZyojAiUgibAi/v3trIBDA92bOCxBNgCyw
831 yU3yFR8eSriE1lROeZghScU/qMKqJQhNv8jSRKiCaVjX/6XGJeGjJ4vDZgkoFOAt
832 3BUpzUSqCNZPuHim6YSIWRgcoCgvqzvh9wVh/eRTMGt2naTfy2ieUkYSKleGbE91
833 DeCKiiAJlimR0MJ5xOznTvCMxvs0ZppG41F+ain6rmsKQaVZfw4IxJW+9KmtNO4g
834 EJO5rT+lOyz3t3Ij2yblHAwtcdxxwyA9BdvnIxfDcXVtNcqPNfBZRkhct/APO/yS
835 Ix4MYaiI3P48eZeMnLgiw/MOh2Vi
836 -----END CERTIFICATE-----
837 1 s:C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO SSL CA
838 i:C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
839 -----BEGIN CERTIFICATE-----
840 MIIE4jCCA8qgAwIBAgIQbrrwj3mD+p3hsm+W/G6YvzANBgkqhkiG9w0BAQUFADBv
841 MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
842 ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
843 eHRlcm5hbCBDQSBSb290MB4XDTExMDgyMzAwMDAwMFoXDTIwMDUzMDEwNDgzOFow
844 cDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
845 A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxFjAUBgNV
846 BAMTDUNPTU9ETyBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
847 AQDUKy4c0qP4f1UUQN73RN2EVfeFe1VmaaflWetlg/TzdrFmw09OmJMJt0Cz0Reg
848 EgmogOEpY5cCjDGdCgLgWVu77TC1735drwhOjYvCOVYWmHOUeArJpk8ot6g0N9sl
849 IbE8mfbgEj5z6mQyn0IGPBnYCgR6TFdJK9J3etAAvF76ju7MwuQTbiVf3DykiKPc
850 Sce8xw/dGcCxcu147ziDCkUXG8l9ne3fqywso3WuW4IdiIONzghlDGYmVwWhDN/m
851 B4QLhKPIq9WVR7/c3P4d/AKTRAHK5rW3axYwAV3piQmVnvheKVzdx1WM8o4gTkB6
852 5PVFA7SYK8SAflOHb8LSV7DpAgMBAAGjggF3MIIBczAfBgNVHSMEGDAWgBStvZh6
853 NLQm9/rEJlTvA73gJMtUGjAdBgNVHQ4EFgQUG2u9H4pJGJRUN1W0IBftN7l3GH0w
854 DgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAG
855 BgRVHSAAMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNv
856 bS9BZGRUcnVzdEV4dGVybmFsQ0FSb290LmNybDCBswYIKwYBBQUHAQEEgaYwgaMw
857 PwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
858 dGVybmFsQ0FSb290LnA3YzA5BggrBgEFBQcwAoYtaHR0cDovL2NydC51c2VydHJ1
859 c3QuY29tL0FkZFRydXN0VVROU0dDQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8v
860 b2NzcC51c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQBDJTkjBwSsmV1Z
861 Zz3mL2F9WlZ7/AaNs0ud+tUFTA1mtb08x6Iqa7XP5rqDPmCQNgzVwu2KldmSQiMc
862 A3Y+wkjxdXKds4zPs1g0VkkdoS4rPbLoWhBG3mS1Ta5LbvwBtyEQ1ZW36yy+FAbM
863 QS7kbOJGkP/GKH5z/uUXuoLDEAWBZsKLKDigRD7p5M4zsHz44VOduLTL2sku2ZNw
864 jnwL43M+mZmP6+ERRDXYYIFiRdTeRVuQLkkbG9ukD4BiIXNp8ePebdhIfFYSJiIR
865 RwHGXhnCtJWX7mEAVfEEOPyE5ni0DUO+QzPdaNMiWwD7FILoS2J5MM/TlZ+zuYQB
866 1N3PIxL4
867 -----END CERTIFICATE-----
868 ---
869 Server certificate
870 subject=OU = Domain Control Validated, OU = COMODO SSL Wildcard, CN = *.badssl.com
871
872 issuer=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO SSL CA
873
874 ---
875 No client certificate CA names sent
876 Peer signing digest: SHA512
877 Peer signature type: RSA
878 Server Temp Key: ECDH, P-256, 256 bits
879 ---
880 SSL handshake has read 3037 bytes and written 454 bytes
881 Verification error: certificate has expired
882 ---
883 New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
884 Server public key is 2048 bit
885 Secure Renegotiation IS supported
886 Compression: NONE
887 Expansion: NONE
888 No ALPN negotiated
889 SSL-Session:
890 Protocol : TLSv1.2
891 Cipher : ECDHE-RSA-AES128-GCM-SHA256
892 Session-ID: 1AA79F6F986D20959EFE3F4E293F2F5F05E1C33C779BB086A95C33B7B2A13716
893 Session-ID-ctx:
894 Master-Key: 0F738EDA295FEA1972787E50BDFE693B8E0504BA41AC9EE75A6630CAEBD150693CCE7D2209F6D89482B1319C5975EA97
895 PSK identity: None
896 PSK identity hint: None
897 SRP username: None
898 Start Time: 1602436102
899 Timeout : 7200 (sec)
900 Verify return code: 10 (certificate has expired)
901 Extended master secret: no
902 ---
903 |}
904
905 let err_tests =
906 [
907 ( "self-signed.badssl.com",
908 (fun _ _ -> `InvalidChain),
909 self_signed_badssl,
910 None );
911 ( "expired.badssl.com",
912 (fun _ c -> `LeafCertificateExpired (List.hd c, Some now)),
913 expired_badssl,
914 None );
915 ( "untrusted-root.badssl.com",
916 (fun _ _ -> `InvalidChain),
917 untrusted_root_badssl,
918 None );
919 ( "wrong.host.badssl.com",
920 (fun h c -> `LeafInvalidName (List.hd c, Some h)),
921 wrong_host_badssl,
922 None );
923 ( "incomplete-chain.badssl.com",
924 (fun _ _ -> `InvalidChain),
925 incomplete_chain_badssl,
926 None );
927 ( "sha1-intermediate.badssl.com",
928 (fun _ _ -> `InvalidChain),
929 sha1_intermediate_badssl,
930 Ptime.of_date_time ((2020, 05, 30), ((16, 00, 00), 00)) );
931 ( "wrong.host.google.com",
932 (fun h c -> `LeafInvalidName (List.hd c, Some h)),
933 google,
934 None );
935 ]
936
937 let tests tas =
938 List.map
939 (fun (name, data) ->
940 let host = Domain_name.(of_string_exn name |> host_exn)
941 and chain =
942 Result.get_ok
943 (X509.Certificate.decode_pem_multiple (Cstruct.of_string data))
944 in
945 (name, `Quick, test_one tas (Ok (Some (chain, List.hd chain))) host chain))
946 ok_tests
947 @ List.map
948 (fun (name, result, data, time) ->
949 let host = Domain_name.(of_string_exn name |> host_exn)
950 and chain =
951 Result.get_ok
952 (X509.Certificate.decode_pem_multiple (Cstruct.of_string data))
953 in
954 (name, `Quick, test_one ?time tas (Error (result host chain)) host chain))
955 err_tests
956
957 let ta () =
958 Result.bind (Ca_certs.trust_anchors ()) (fun data ->
959 (* we cannot use decode_pem_multiple since this fails on the first
960 undecodable certificate - while we'd like to stay operational, and
961 ignore some certificates *)
962 let sep = "-----END CERTIFICATE-----" in
963 let certs = Astring.String.cuts ~sep ~empty:false data in
964 let cas =
965 List.fold_left
966 (fun acc data ->
967 let data = data ^ sep in
968 match X509.Certificate.decode_pem (Cstruct.of_string data) with
969 | Ok ca -> ca :: acc
970 | Error _ -> acc)
971 [] certs
972 in
973 Ok (List.rev cas))
974
975 let () =
976 let tas = Result.get_ok (ta ()) in
977 Alcotest.run "verification tests"
978 [ ("X509 certificate validation", tests tas) ]