cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: CURLOPT_CERTINFO truncated to 2048 chars

From: Sky (Jim Schuyler) <sky_at_cyberspark.net>
Date: Thu, 9 Oct 2014 10:59:26 -0700

Live example here => http://119.9.13.114/

1) The file shows its own live PHP
2) Shows version numbers for libcurl and OpenSSL
3) Then runs and emits the result of HTTPS against au.yahoo.com (CURLOPT_CERTINFO)
4) Then runs phpinfo() just to show its environment

Note that the ——BEGIN CERTIFICATE—— block is truncated as I previously indicated, to 2048 characters/bytes.

I should be able to try other code on this server. It’s a throwaway. But I’m not experienced with compiling and linking in new versions, so I’d need advice with that. It’s Ubuntu 14.04 LTS.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
CyberSpark.net
-Keeping the flame of free speech
      and human rights alive online

On Oct 9, 2014, at 10:18 AM, Sky (Jim Schuyler) <sky_at_cyberspark.net> wrote:

> Yes, I will put a live example online shortly. Let me point out I’m using php5-curl, which I believe uses libcurl, but I should verify this with you before I go run more tests. Don’t want to waste your time if I’m not even using the libcurl 7.35 that I think I am. (If I didn’t say it, thank you for this great package.)
>
> I do understand that php5-curl is a wrapper and that it might be doing something with the analysis. And I don’t know for sure that the analysis comes from libcurl, so please let me know if I’m climbing wrong tree.
>
> dog_at_sydney:~# apt-cache madison php5-curl
> php5-curl | 5.5.9+dfsg-1ubuntu4.4 | http://mirror.rackspace.com/ubuntu/ trusty-updates/main amd64 Packages
> php5-curl | 5.5.9+dfsg-1ubuntu4.4 | http://mirror.rackspace.com/ubuntu/ trusty-security/main amd64 Packages
> php5-curl | 5.5.9+dfsg-1ubuntu4 | http://mirror.rackspace.com/ubuntu/ trusty/main amd64 Packages
> php5 | 5.5.9+dfsg-1ubuntu4 | http://mirror.rackspace.com/ubuntu/ trusty/main Sources
> php5 | 5.5.9+dfsg-1ubuntu4.4 | http://mirror.rackspace.com/ubuntu/ trusty-updates/main Sources
> php5 | 5.5.9+dfsg-1ubuntu4.4 | http://mirror.rackspace.com/ubuntu/ trusty-security/main Sources
> dog@ sydney:~# apt-cache madison curl
> curl | 7.35.0-1ubuntu2.1 | http://mirror.rackspace.com/ubuntu/ trusty-updates/main amd64 Packages
> curl | 7.35.0-1ubuntu2.1 | http://mirror.rackspace.com/ubuntu/ trusty-security/main amd64 Packages
> curl | 7.35.0-1ubuntu2 | http://mirror.rackspace.com/ubuntu/ trusty/main amd64 Packages
> curl | 7.35.0-1ubuntu2 | http://mirror.rackspace.com/ubuntu/ trusty/main Sources
> curl | 7.35.0-1ubuntu2.1 | http://mirror.rackspace.com/ubuntu/ trusty-updates/main Sources
> curl | 7.35.0-1ubuntu2.1 | http://mirror.rackspace.com/ubuntu/ trusty-security/main Sources
>
> Also my code reports the current versions (from curl info) this way:
> OK [ssl] Verify SSL/HTTPS on au.yahoo.com using php5_curl '7.35.0' with OpenSSL 'OpenSSL/1.0.1f’
>
> To start the process, I will include one “narrative” that I got when hitting https://au.yahoo.com/?p=en yesterday.
>
> The certificate beginning
> MIIIdzCCB1+gAwIBAgIQTusxCWM5To6gTnCcqR3NpjANBgkqhkiG9w0BAQUFADCB
> is longer than 2048 bytes.
>
> The certificate beginning
> MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
> is shorter than 2048 and appears in full.
>
> The code that produces it is:
>
> if ($tf = tmpfile()) {
> $ch = curl_init();
> curl_setopt($ch, CURLOPT_URL, 'https://au.yahoo.com/?p=en');
> curl_setopt($ch, CURLOPT_STDERR, $tf);
> curl_setopt($ch, CURLOPT_CERTINFO, 1);
> curl_setopt($ch, CURLOPT_VERBOSE, true);
> curl_setopt($ch, CURLOPT_HEADER, false);
> curl_setopt($ch, CURLOPT_NOBODY, 1);
> curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
> curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
> curl_setopt($ch, CURLOPT_SSLVERSION, 3);
> $curlResult = curl_exec($ch);
> fseek($tf, 0); // rewind
> // Get the full analysis that was returned from the SSL connection
> // Note there is an absolute maximum size of 100000 used on the overall report.
> $s = fread($tf, 100000);
> if ($s !== false) {
> echo $s;
> }
> fclose($tf);
> curl_close($ch);
>
> The result is below. If you look for a ‘——BEGIN CERTIFICATE——‘ and then scrape from the start of that string through the following “*” (continuation of the output of the analysis) and paste it somewhere that can count the length, you’ll find it’s exactly 2048 characters long and in the case of one cert does not contain an ‘——END CERTIFICATE——‘ because the cert is longer than 2048.
>
>
> * Rebuilt URL to: https://au.yahoo.com/
> * Hostname was found in DNS cache
> * Trying 206.190.36.45...
> * Connected to au.yahoo.com (206.190.36.45) port 443 (#3)
> * successfully set certificate verify locations:
> * CAfile: none
> CApath: /etc/ssl/certs
> * SSL connection using ECDHE-RSA-AES128-SHA
> * --- Certificate chain
> * 0 Subject: C=US; ST=California; L=Sunnyvale; O=Yahoo Inc.; OU=Information Technology; CN=www.yahoo.com
> * Issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
> * Version: 3 (0x2)
> * Serial Number:
> * Signature Algorithm: sha1WithRSAEncryption
> * Start date: 2014-09-24 00:00:00 GMT
> * Expire date: 2015-09-25 23:59:59 GMT
> * Public Key Algorithm: rsaEncryption
> * RSA Public Key (2048 bits)
> * rsa(n): cb:b3:cf:6d:6f:6b:23:6e:eb:b0:8f:0a:ad:aa:98:ba:1a:d9:26:1e:88:52:32:71:63:c9:79:c4:82:2e:c8:22:b4:cd:2f:04:9f:95:2d:83:a9:52:22:07:24:00:42:ee:18:17:07:46:29:73:18:97:c5:b8:69:06:78:22:70:22:d0:13:4a:11:86:2b:53:9a:49:69:c5:a2:77:b4:2b:3b:f1:75:f9:a4:83:8d:3e:8e:65:fb:17:a0:ac:14:7d:87:ed:d4:a6:5c:99:b7:c8:f4:de:a0:6a:13:d9:33:41:27:6a:71:54:cf:c2:49:d4:c6:8b:1e:2c:3b:f3:1d:bc:da:bb:11:c1:fe:06:62:9c:3b:2b:bf:8d:43:cb:7b:7b:51:4f:9f:f4:1f:d2:99:6f:a1:24:9b:64:65:5f:2c:d0:95:ad:98:b6:6a:02:24:3f:c7:f3:ad:3f:47:b1:57:bf:dd:a0:c2:ed:dd:a4:e1:a3:74:24:1b:73:5f:a7:8e:8b:09:10:bc:ea:a6:26:aa:3c:57:73:e4:6a:d6:53:6f:9c:aa:f8:f8:9b:bf:22:f6:72:d5:9f:fe:e0:e2:a3:38:8f:b7:d2:ad:91:22:82:36:c1:e6:ae:83:64:6e:07:16:80:f7:59:c4:4d:f4:f4:5e:c8:de:4d:6b:e6:b5:30:ea:8f:0f:
> * rsa(e): 01:00:01:
> * X509v3 Subject Alternative Name:
> * DNS:www.yahoo.com,DNS:yahoo.com,DNS:hsrd.yahoo.com,DNS:us.yahoo.com,DNS:fr.yahoo.com,DNS:uk.yahoo.com,DNS:za.yahoo.com,DNS:ie.yahoo.com,DNS:it.yahoo.com,DNS:es.yahoo.com,DNS:de.yahoo.com,DNS:ca.yahoo.com,DNS:qc.yahoo.com,DNS:br.yahoo.com,DNS:ro.yahoo.com,DNS:se.yahoo.com,DNS:be.yahoo.com,DNS:fr-be.yahoo.com,DNS:ar.yahoo.com,DNS:mx.yahoo.com,DNS:cl.yahoo.com,DNS:co.yahoo.com,DNS:ve.yahoo.com,DNS:espanol.yahoo.com,DNS:pe.yahoo.com,DNS:in.yahoo.com,DNS:sg.yahoo.com,DNS:id.yahoo.com,DNS:malaysia.yahoo.com,DNS:
> * X509v3 Basic Constraints:
> * CA:FALSE
> * X509v3 Key Usage: (critical)
> * DigitalSignature,KeyEncipherment
> * X509v3 Extended Key Usage:
> * TLSWebServerAuthentication,TLSWebClientAuthentication
> * X509v3 Certificate Policies:
> * Policy:2.16.840.1.113733.1.7.54, CPS:https://d.symcb.com/cps, UserNotice:, ExplicitText:https://d.symcb.com/rpa
> * X509v3 Authority Key Identifier:
> * keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
> * X509v3 CRL Distribution Points:
> * , FullName:, URI:http://sd.symcb.com/sd.crl
> * Authority Information Access:
> * OCSP-URI:http://sd.symcd.com, CAIssuers-URI:http://sd.symcb.com/sd.crt
> * Signature: 8d:ab:7a:6a:9e:dc:ca:64:5b:10:11:43:d6:45:06:17:6b:32:e7:43:ed:96:68:7d:61:98:c4:76:97:06:79:ab:1c:ee:f4:ac:67:97:34:88:63:90:62:4c:12:e4:9c:b1:eb:aa:38:11:e9:8a:d2:14:f9:07:cd:6d:ee:b4:05:ce:cd:65:d0:72:69:39:00:fa:3b:3a:3b:06:de:3b:7e:82:c1:69:31:bc:e4:09:7c:f8:b3:ff:9e:d4:a2:40:17:42:68:c0:bf:91:0b:ac:c6:ee:dc:91:33:85:e0:e4:43:f2:d8:b3:5d:a4:33:f7:c0:e8:49:26:cf:3d:a6:3f:c0:40:78:0d:62:0d:aa:10:37:be:3f:20:db:be:ea:ed:99:1d:cd:b6:75:23:03:13:c8:4d:86:c5:c5:bd:fe:d5:ad:3c:5a:2d:5c:c9:72:6a:b5:f7:de:1c:41:a8:f8:a7:20:87:5b:67:00:07:2c:48:4e:22:b3:28:19:88:a0:e9:a5:11:c5:f7:29:18:29:18:51:a9:95:ab:21:8b:9e:96:c5:30:15:6f:ae:55:31:07:1c:2c:3a:f9:75:d7:66:8b:b2:fd:47:fe:f3:ea:9e:e2:cd:e2:92:d0:23:83:ce:af:04:b6:14:51:5e:63:65:da:d4:f7:28:82:9c:82:31:15:bc:29:
> * -----BEGIN CERTIFICATE-----
> MIIIdzCCB1+gAwIBAgIQTusxCWM5To6gTnCcqR3NpjANBgkqhkiG9w0BAQUFADCB
> tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
> YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
> VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwOTI0
> MDAwMDAwWhcNMTUwOTI1MjM1OTU5WjCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
> CkNhbGlmb3JuaWExEjAQBgNVBAcUCVN1bm55dmFsZTETMBEGA1UEChQKWWFob28g
> SW5jLjEfMB0GA1UECxQWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEWMBQGA1UEAxQN
> d3d3LnlhaG9vLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuz
> z21vayNu67CPCq2qmLoa2SYeiFIycWPJecSCLsgitM0vBJ+VLYOpUiIHJABC7hgX
> B0YpcxiXxbhpBngicCLQE0oRhitTmklpxaJ3tCs78XX5pIONPo5l+xegrBR9h+3U
> plyZt8j03qBqE9kzQSdqcVTPwknUxoseLDvzHbzauxHB/gZinDsrv41Dy3t7UU+f
> 9B/SmW+hJJtkZV8s0JWtmLZqAiQ/x/OtP0exV7/doMLt3aTho3QkG3Nfp46LCRC8
> 6qYmqjxXc+Rq1lNvnKr4+Ju/IvZy1Z/+4OKjOI+30q2RIoI2weaug2RuBxaA91nE
> TfT0XsjeTWvmtTDqjw8CAwEAAaOCBLAwggSsMIIDYAYDVR0RBIIDVzCCA1OCDXd3
> dy55YWhvby5jb22CCXlhaG9vLmNvbYIOaHNyZC55YWhvby5jb22CDHVzLnlhaG9v
> LmNvbYIMZnIueWFob28uY29tggx1ay55YWhvby5jb22CDHphLnlhaG9vLmNvbYIM
> aWUueWFob28uY29tggxpdC55YWhvby5jb22CDGVzLnlhaG9vLmNvbYIMZGUueWFo
> b28uY29tggxjYS55YWhvby5jb22CDHFjLnlhaG9vLmNvbYIMYnIueWFob28uY29t
> ggxyby55YWhvby5jb22CDHNlLnlhaG9vLmNvbYIMYmUueWFob28uY29tgg9mci1i
> ZS55YWhvby5jb22CDGFyLnlhaG9vLmNvbYIMbXgueWFob28uY29tggxjbC55YWhv
> by5jb22CDGNvLnlhaG9vLmNvbYIMdmUueWFob28uY29tghFlc3Bhbm9sLnlhaG9v
> LmNvbYIMcGUueWFob28uY29tggxpbi55YWhvby5jb22CDHNnLnlhaG9vLmNvbYIM
> aWQueWFob28uY29tghJtYWxheXNpYS55YWhvby5jb22CDHBoLnlhaG9vLmNvbYIM
> dm4ueWFob28uY29tghFtYWt0b29iLnlhaG9vLmNvbYIUZW4tbWFrdG9vYi55YWhv
> by5jb22CD2NhLm15LnlhaG9vLmNvbYIMZ3IueWFob28uY29tgg1hdHQueWFob28u
> Y29tggxhdS55YWhvby5jb22CDG56LnlhaG9vLmNvbYIMdHcueWFob28uY29tggxo
> ay55YWhvby5jb22CDWJyYi55YWhvby5jb22CDG15LnlhaG9vLmNvbYIQYWRkLm15
> LnlhaG9vLmNvbYIVZXNwYW5vbC5hdHQueWFob28uY29tghJmcm9udGllci55YWhv
> by5jb22CEXZlcml6b24ueWFob28uY29tghNjYS5yb2dlcnMueWFob28uY29tghZm
> ci1jYS5yb2dlcnMueWFob28uY29tghR0YXRhZG9jb21vLnlhaG9vLmNvbYIQdGlr
> b25hL* 1 Subject: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
> * Issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5
> * Version: 3 (0x2)
> * Serial Number:
> * Signature Algorithm: sha1WithRSAEncryption
> * Start date: 2010-02-08 00:00:00 GMT
> * Expire date: 2020-02-07 23:59:59 GMT
> * Public Key Algorithm: rsaEncryption
> * RSA Public Key (2048 bits)
> * rsa(n): b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:fa:0f:
> * rsa(e): 01:00:01:
> * Authority Information Access:
> * OCSP-URI:http://ocsp.verisign.com
> * X509v3 Basic Constraints: (critical)
> * CA:TRUE,pathlen:0
> * X509v3 Certificate Policies:
> * Policy:2.16.840.1.113733.1.7.23.3, CPS:https://www.verisign.com/cps, UserNotice:, ExplicitText:https://www.verisign.com/rpa
> * X509v3 CRL Distribution Points:
> * , FullName:, URI:http://crl.verisign.com/pca3-g5.crl
> * X509v3 Key Usage: (critical)
> * CertificateSign,CRLSign
> * 1.3.6.1.5.5.7.1.12:
> * 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
> * X509v3 Subject Alternative Name:
> * DirName:/CN=VeriSignMPKI-2-6
> * X509v3 Subject Key Identifier:
> * 0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
> * X509v3 Authority Key Identifier:
> * keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
> * Signature: 0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:a4:c4:cb:66:
> * -----BEGIN CERTIFICATE-----
> MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
> yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
> U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
> ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
> aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
> MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
> ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
> aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
> aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
> DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
> 5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
> f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
> tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
> GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
> M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
> 2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
> aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
> RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
> czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
> A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
> Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
> bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
> dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
> GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
> HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
> KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
> WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
> bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
> dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
> W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
> Rs/iG* 2 Subject: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5
> * Issuer: C=US; O=VeriSign, Inc.; OU=Class 3 Public Primary Certification Authority
> * Version: 3 (0x2)
> * Serial Number:
> * Signature Algorithm: sha1WithRSAEncryption
> * Start date: 2006-11-08 00:00:00 GMT
> * Expire date: 2021-11-07 23:59:59 GMT
> * Public Key Algorithm: rsaEncryption
> * RSA Public Key (2048 bits)
> * rsa(n): af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:25:15:
> * rsa(e): 01:00:01:
> * X509v3 Basic Constraints: (critical)
> * CA:TRUE
> * X509v3 CRL Distribution Points:
> * , FullName:, URI:http://crl.verisign.com/pca3.crl
> * X509v3 Key Usage: (critical)
> * CertificateSign,CRLSign
> * X509v3 Certificate Policies:
> * Policy:X509v3AnyPolicy, CPS:https://www.verisign.com/cps
> * X509v3 Subject Key Identifier:
> * 7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
> * 1.3.6.1.5.5.7.1.12:
> * 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
> * Authority Information Access:
> * OCSP-URI:http://ocsp.verisign.com
> * X509v3 Extended Key Usage:
> * TLSWebServerAuthentication,TLSWebClientAuthentication,CodeSigning,NetscapeServerGatedCrypto,2.16.840.1.113733.1.8.1
> * Signature: 13:02:dd:f8:e8:86:00:f2:5a:f8:f8:20:0c:59:88:62:07:ce:ce:f7:4e:f9:bb:59:a1:98:e5:e1:38:dd:4e:bc:66:18:d3:ad:eb:18:f2:0d:c9:6d:3e:4a:94:20:c3:3c:ba:bd:65:54:c6:af:44:b3:10:ad:2c:6b:3e:ab:d7:07:b6:b8:81:63:c5:f9:5e:2e:e5:2a:67:ce:cd:33:0c:2a:d7:89:56:03:23:1f:b3:be:e8:3a:08:59:b4:ec:45:35:f7:8a:5b:ff:66:cf:50:af:c6:6d:57:8d:19:78:b7:b9:a2:d1:57:ea:1f:9a:4b:af:ba:c9:8e:12:7e:c6:bd:ff:
> * -----BEGIN CERTIFICATE-----
> MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
> MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
> LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
> HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
> FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
> dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
> ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
> IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
> RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
> ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
> TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
> Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
> iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
> AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
> dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
> BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
> aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
> KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
> j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
> L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
> b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
> BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
> A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
> lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
> tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
> -----END CERTIFICATE-----
>
> * Server certificate:
> * subject: C=US; ST=California; L=Sunnyvale; O=Yahoo Inc.; OU=Information Technology; CN=www.yahoo.com
> * start date: 2014-09-24 00:00:00 GMT
> * expire date: 2015-09-25 23:59:59 GMT
> * subjectAltName: au.yahoo.com matched
> * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
> * SSL certificate verify ok.
>> HEAD / HTTP/1.1
> Host: au.yahoo.com
> Accept: */*
>
> < HTTP/1.1 302 Found
> < Date: Thu, 09 Oct 2014 02:40:51 GMT
> < P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
> < Location: http://brb.yahoo.com
> < Vary: Accept-Encoding
> < Content-Type: text/html
> < Age: 0
> < Via: http/1.1 fs3.fp.gq1.yahoo.com (ApacheTrafficServer/4.0.2 [cMsSf ]), https/1.1 ir10.fp.gq1.yahoo.com (ApacheTrafficServer)
> * Server ATS is not blacklisted
> < Server: ATS
> < Connection: keep-alive
> <
> * Connection #3 to host au.yahoo.com left intact
>
>
> SAVED NEW BASELINE CERT(S) AS FOLLOWS:
> -----BEGIN CERTIFICATE-----
> MIIIdzCCB1+gAwIBAgIQTusxCWM5To6gTnCcqR3NpjANBgkqhkiG9w0BAQUFADCB
> tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
> YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
> VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwOTI0
> MDAwMDAwWhcNMTUwOTI1MjM1OTU5WjCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
> CkNhbGlmb3JuaWExEjAQBgNVBAcUCVN1bm55dmFsZTETMBEGA1UEChQKWWFob28g
> SW5jLjEfMB0GA1UECxQWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEWMBQGA1UEAxQN
> d3d3LnlhaG9vLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMuz
> z21vayNu67CPCq2qmLoa2SYeiFIycWPJecSCLsgitM0vBJ+VLYOpUiIHJABC7hgX
> B0YpcxiXxbhpBngicCLQE0oRhitTmklpxaJ3tCs78XX5pIONPo5l+xegrBR9h+3U
> plyZt8j03qBqE9kzQSdqcVTPwknUxoseLDvzHbzauxHB/gZinDsrv41Dy3t7UU+f
> 9B/SmW+hJJtkZV8s0JWtmLZqAiQ/x/OtP0exV7/doMLt3aTho3QkG3Nfp46LCRC8
> 6qYmqjxXc+Rq1lNvnKr4+Ju/IvZy1Z/+4OKjOI+30q2RIoI2weaug2RuBxaA91nE
> TfT0XsjeTWvmtTDqjw8CAwEAAaOCBLAwggSsMIIDYAYDVR0RBIIDVzCCA1OCDXd3
> dy55YWhvby5jb22CCXlhaG9vLmNvbYIOaHNyZC55YWhvby5jb22CDHVzLnlhaG9v
> LmNvbYIMZnIueWFob28uY29tggx1ay55YWhvby5jb22CDHphLnlhaG9vLmNvbYIM
> aWUueWFob28uY29tggxpdC55YWhvby5jb22CDGVzLnlhaG9vLmNvbYIMZGUueWFo
> b28uY29tggxjYS55YWhvby5jb22CDHFjLnlhaG9vLmNvbYIMYnIueWFob28uY29t
> ggxyby55YWhvby5jb22CDHNlLnlhaG9vLmNvbYIMYmUueWFob28uY29tgg9mci1i
> ZS55YWhvby5jb22CDGFyLnlhaG9vLmNvbYIMbXgueWFob28uY29tggxjbC55YWhv
> by5jb22CDGNvLnlhaG9vLmNvbYIMdmUueWFob28uY29tghFlc3Bhbm9sLnlhaG9v
> LmNvbYIMcGUueWFob28uY29tggxpbi55YWhvby5jb22CDHNnLnlhaG9vLmNvbYIM
> aWQueWFob28uY29tghJtYWxheXNpYS55YWhvby5jb22CDHBoLnlhaG9vLmNvbYIM
> dm4ueWFob28uY29tghFtYWt0b29iLnlhaG9vLmNvbYIUZW4tbWFrdG9vYi55YWhv
> by5jb22CD2NhLm15LnlhaG9vLmNvbYIMZ3IueWFob28uY29tgg1hdHQueWFob28u
> Y29tggxhdS55YWhvby5jb22CDG56LnlhaG9vLmNvbYIMdHcueWFob28uY29tggxo
> ay55YWhvby5jb22CDWJyYi55YWhvby5jb22CDG15LnlhaG9vLmNvbYIQYWRkLm15
> LnlhaG9vLmNvbYIVZXNwYW5vbC5hdHQueWFob28uY29tghJmcm9udGllci55YWhv
> by5jb22CEXZlcml6b24ueWFob28uY29tghNjYS5yb2dlcnMueWFob28uY29tghZm
> ci1jYS5yb2dlcnMueWFob28uY29tghR0YXRhZG9jb21vLnlhaG9vLmNvbYIQdGlr
> b25hL* 1 Subject: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3
> * Issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5
> * Version: 3 (0x2)
> * Serial Number:
> * Signature Algorithm: sha1WithRSAEncryption
> * Start date: 2010-02-08 00:00:00 GMT
> * Expire date: 2020-02-07 23:59:59 GMT
> * Public Key Algorithm: rsaEncryption
> * RSA Public Key (2048 bits)
> * rsa(n): b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:fa:0f:
> * rsa(e): 01:00:01:
> * Authority Information Access:
> * OCSP-URI:http://ocsp.verisign.com
> * X509v3 Basic Constraints: (critical)
> * CA:TRUE,pathlen:0
> * X509v3 Certificate Policies:
> * Policy:2.16.840.1.113733.1.7.23.3, CPS:https://www.verisign.com/cps, UserNotice:, ExplicitText:https://www.verisign.com/rpa
> * X509v3 CRL Distribution Points:
> * , FullName:, URI:http://crl.verisign.com/pca3-g5.crl
> * X509v3 Key Usage: (critical)
> * CertificateSign,CRLSign
> * 1.3.6.1.5.5.7.1.12:
> * 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
> * X509v3 Subject Alternative Name:
> * DirName:/CN=VeriSignMPKI-2-6
> * X509v3 Subject Key Identifier:
> * 0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
> * X509v3 Authority Key Identifier:
> * keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
> * Signature: 0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:a4:c4:cb:66:
> * -----BEGIN CERTIFICATE-----
> MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
> yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
> ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
> U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
> ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
> aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
> MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
> ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
> aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
> aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
> DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
> 5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
> f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
> tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
> GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
> M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
> 2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
> aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
> RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
> czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
> A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
> Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
> bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
> dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
> GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
> HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
> KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
> WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
> bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
> dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
> W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
> Rs/iG* 2 Subject: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=(c) 2006 VeriSign, Inc. - For authorized use only; CN=VeriSign Class 3 Public Primary Certification Authority - G5
> * Issuer: C=US; O=VeriSign, Inc.; OU=Class 3 Public Primary Certification Authority
> * Version: 3 (0x2)
> * Serial Number:
> * Signature Algorithm: sha1WithRSAEncryption
> * Start date: 2006-11-08 00:00:00 GMT
> * Expire date: 2021-11-07 23:59:59 GMT
> * Public Key Algorithm: rsaEncryption
> * RSA Public Key (2048 bits)
> * rsa(n): af:24:08:08:29:7a:35:9e:60:0c:aa:e7:4b:3b:4e:dc:7c:bc:3c:45:1c:bb:2b:e0:fe:29:02:f9:57:08:a3:64:85:15:27:f5:f1:ad:c8:31:89:5d:22:e8:2a:aa:a6:42:b3:8f:f8:b9:55:b7:b1:b7:4b:b3:fe:8f:7e:07:57:ec:ef:43:db:66:62:15:61:cf:60:0d:a4:d8:de:f8:e0:c3:62:08:3d:54:13:eb:49:ca:59:54:85:26:e5:2b:8f:1b:9f:eb:f5:a1:91:c2:33:49:d8:43:63:6a:52:4b:d2:8f:e8:70:51:4d:d1:89:69:7b:c7:70:f6:b3:dc:12:74:db:7b:5d:4b:56:d3:96:bf:15:77:a1:b0:f4:a2:25:f2:af:1c:92:67:18:e5:f4:06:04:ef:90:b9:e4:00:e4:dd:3a:b5:19:ff:02:ba:f4:3c:ee:e0:8b:eb:37:8b:ec:f4:d7:ac:f2:f6:f0:3d:af:dd:75:91:33:19:1d:1c:40:cb:74:24:19:21:93:d9:14:fe:ac:2a:52:c7:8f:d5:04:49:e4:8d:63:47:88:3c:69:83:cb:fe:47:bd:2b:7e:4f:c5:95:ae:0e:9d:d4:d1:43:c0:67:73:e3:14:08:7e:e5:3f:9f:73:b8:33:0a:cf:5d:3f:34:87:96:8a:ee:53:e8:25:15:
> * rsa(e): 01:00:01:
> * X509v3 Basic Constraints: (critical)
> * CA:TRUE
> * X509v3 CRL Distribution Points:
> * , FullName:, URI:http://crl.verisign.com/pca3.crl
> * X509v3 Key Usage: (critical)
> * CertificateSign,CRLSign
> * X509v3 Certificate Policies:
> * Policy:X509v3AnyPolicy, CPS:https://www.verisign.com/cps
> * X509v3 Subject Key Identifier:
> * 7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
> * 1.3.6.1.5.5.7.1.12:
> * 0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
> * Authority Information Access:
> * OCSP-URI:http://ocsp.verisign.com
> * X509v3 Extended Key Usage:
> * TLSWebServerAuthentication,TLSWebClientAuthentication,CodeSigning,NetscapeServerGatedCrypto,2.16.840.1.113733.1.8.1
> * Signature: 13:02:dd:f8:e8:86:00:f2:5a:f8:f8:20:0c:59:88:62:07:ce:ce:f7:4e:f9:bb:59:a1:98:e5:e1:38:dd:4e:bc:66:18:d3:ad:eb:18:f2:0d:c9:6d:3e:4a:94:20:c3:3c:ba:bd:65:54:c6:af:44:b3:10:ad:2c:6b:3e:ab:d7:07:b6:b8:81:63:c5:f9:5e:2e:e5:2a:67:ce:cd:33:0c:2a:d7:89:56:03:23:1f:b3:be:e8:3a:08:59:b4:ec:45:35:f7:8a:5b:ff:66:cf:50:af:c6:6d:57:8d:19:78:b7:b9:a2:d1:57:ea:1f:9a:4b:af:ba:c9:8e:12:7e:c6:bd:ff:
> * -----BEGIN CERTIFICATE-----
> MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
> MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
> LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
> HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
> FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
> dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
> ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
> IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
> RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
> ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
> TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
> Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
> iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
> AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
> dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
> BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
> aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
> KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
> j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
> L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
> b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
> BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
> A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
> lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
> tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
> -----END CERTIFICATE-----
>
>
>
>
>
>
>
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> CyberSpark.net
> -Keeping the flame of free speech
> and human rights alive online
>
> On Oct 9, 2014, at 1:52 AM, Daniel Stenberg <daniel_at_haxx.se> wrote:
>
>> On Wed, 8 Oct 2014, Sky (Jim Schuyler) wrote:
>>
>>> I’m using php5-curl for HTTPS and use the CURLOPT_CERTINFO option to report back the certificates that are seen and the narrative of the certificate checking process.
>>>
>>> The information returned for a cert in that flow is truncated to 2048 bytes from the start of “——BEGIN CERTIFICATE——“ to wherever the 2048 bytes end. Sometimes the ——END CERTIFICATE—— is within this range and sometimes not.
>>
>> It's not immediately obvious to me where this truncation would happen. Can you figure that out? There's a 8K buffer used at some places, could it be that you hit that limit somehow?
>>
>> Can you show us code that repeats this against a public site?
>>
>>> I”m using libcurl 7.35
>>
>> I don't think we've changed this particular thing since then anyway.
>>
>>> If there’s a way to use apt-get to upgrade to the current version, I can try it, but I don’t really know how to do that.
>>
>> You can probably get the dpkg package from a later version and install that.
>>
>>> I’m also happy to go check the current code and have downloaded the source, and can wade into that next, but perhaps you know already where to look.
>>
>> lib/vtls/openssl.c:get_cert_chain() is a good place to start!
>>
>> --
>>
>> / daniel.haxx.se-------------------------------------------------------------------
>> List admin: http://cool.haxx.se/list/listinfo/curl-users
>> FAQ: http://curl.haxx.se/docs/faq.html
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>
>
>
> -------------------------------------------------------------------
> List admin: http://cool.haxx.se/list/listinfo/curl-users
> FAQ: http://curl.haxx.se/docs/faq.html
> Etiquette: http://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-09