Re: [exim-dev] [Bug 2198] DANE TLSA cert usage type 2 fails …

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni
Dátum:  
Címzett: exim-dev
Tárgy: Re: [exim-dev] [Bug 2198] DANE TLSA cert usage type 2 fails depending on the OpenSSL library


> On Dec 10, 2017, at 11:05 AM, Jeremy Harris <jgh@???> wrote:
>
>> So to reproduce the problem, your "2 1 1" issuer certificate
>> MUST NOT be self-signed. The test chain needs to be:
>>
>>     depth 0:  server, issued by:
>>     depth 1:  2 1 1 CA issued by:
>>     depth 2:  another CA, can be left out of presented chain

>
> Any other conditions? I've set that situation up but still get
> a pass on an unpatched system.
>
> Any restrictions on the chain sent by the server? On the CAs
> known by the client?


So it seems that with the bug in place the chain typically becomes:

 depth | subject | issuer
--------------------------
     0    server      CA1
     1       CA1  <empty>
     2   <empty>  <empty>


and, perhaps somewhat surprisingly, this actually works.

Therefore, the issue is further limited to the case where
the server certificate (really whatever certificate is
issued by the intermediate DANE-TA) has an authority key
identifier (AKID) extension that has the issuer name of
its signing CA (the DirName field). In that case, with
the bug, and "<nakid>" as the name from the AKID we get:

 depth | subject | issuer
--------------------------
     0    server      CA1
     1       CA1  <nakid>
     2   <nakid>  <empty>


And now the chain should fail to verify, because the top
CA is no longer self-signed.

The "iks-jena.de" domain falls into the problem space.

iks-jena.de.        MX    10 excalibur.iks-jena.de.
iks-jena.de.        MX    20 avalon.iks-jena.de.
_25._tcp.excalibur.iks-jena.de CNAME ca.iks-jena.de
_25._tcp.avalon.iks-jena.de CNAME ca.iks-jena.de
ca.iks-jena.de TLSA 2 1 1 6193FDDBF37D565DCD8D81A0A30F06180126D8D9120A82B4458CBD18258CA7EC
ca.iks-jena.de TLSA 2 1 1 F3B3B468A8A1E1DE6ECB6A063AF46852597083DE02FD479A15294524F8BD6B20


With this domain I was able to reproduce the problem with
a backrev Postfix (same bug) linked against OpenSSL 1.0.1:

posttls-finger: CA certificate verification failed for excalibur.iks-jena.de[217.17.192.67]:25: num=2:unable to get issuer certificate
posttls-finger: Untrusted TLS connection established to excalibur.iks-jena.de[217.17.192.67]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Certificate chains for both MX hosts below.

-- 
    Viktor.


==== excalibur

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 531 (0x213)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Thuringia, L=Jena, O=IKS Service GmbH, OU=IKS CA, CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
        Validity
            Not Before: Jan 18 09:33:27 2017 GMT
            Not After : Jan 23 09:33:27 2018 GMT
        Subject: C=DE, ST=Thueringen, L=Jena, O=IKS Service GmbH, CN=excalibur.iks-jena.de/emailAddress=noc@???
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:01:2a:05:e3:35:9e:84:88:6b:e5:c5:6b:90:
                    6e:41:86:d8:30:f6:6f:a0:79:4b:9c:8c:6d:92:73:
                    7c:3e:7f:f0:0b:b2:32:24:47:5d:31:de:b9:26:57:
                    47:9a:84:30:fe:c5:94:54:10:dd:fc:6f:f0:01:5d:
                    ec:db:5c:e1:80:91:90:b3:52:25:33:69:dc:66:92:
                    09:33:32:e5:9b:e9:b3:44:01:5c:38:c5:2e:fa:11:
                    91:5d:62:51:85:c4:1c:0d:71:62:4d:8b:d1:c7:3e:
                    b8:3e:d2:24:27:34:83:30:3a:96:b1:2b:5e:b0:af:
                    f9:a3:68:fa:e5:80:72:cf:75:df:8c:f6:6f:a5:83:
                    2c:dc:2e:36:4f:d2:4b:23:79:1a:e1:ec:75:66:b4:
                    7f:98:5f:20:c5:06:0e:4e:84:9f:13:7a:8c:72:16:
                    75:cf:68:37:e1:5f:0b:11:44:90:35:e7:a0:08:d4:
                    26:d2:21:e9:73:e6:0a:91:2c:30:83:f2:4f:8f:0d:
                    0f:45:48:7f:e7:51:5a:cc:e2:63:da:df:5b:b7:14:
                    c5:19:fc:fc:1a:7a:d6:2d:21:d8:c0:5a:d6:ef:ae:
                    b3:e8:87:ca:83:5c:a3:63:c9:8d:56:09:7b:b6:ff:
                    de:b6:a7:77:7f:de:4d:f3:f7:a1:10:5f:1e:22:29:
                    04:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment: 
                Own company, CA CERT at http://www.iks-jena.de/leistungen/ca/high/X.509/cacert.der
            Netscape Base Url: 
                https://www.iks-service.de/
            Netscape CA Policy Url: 
                ca/high/policy.html
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            Netscape Cert Type: 
                SSL Server
            X509v3 Subject Key Identifier: 
                AC:20:39:40:2C:59:29:DA:61:F4:02:47:3F:43:80:05:6D:BB:DA:80
            X509v3 Authority Key Identifier: 
                keyid:2D:65:6C:3C:8C:18:25:1A:06:CA:9D:1A:CE:55:67:1F:3E:7F:B0:EA
                DirName:/C=DE/ST=Thuringia/L=Jena/O=IKS Service GmbH/OU=IKS CA/CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
                serial:00


            Authority Information Access: 
                OCSP - URI:http://ocsp.iks-jena.de:8888/


            X509v3 Subject Alternative Name: 
                DNS:excalibur.iks-jena.de, DNS:*.mx.iks-jena.de, DNS:*.de.mx.iks-jena.de, DNS:*.com.mx.iks-jena.de, DNS:*.eu.mx.iks-jena.de, DNS:*.donnerhacke.de
    Signature Algorithm: sha256WithRSAEncryption
         46:10:76:aa:41:ba:e8:22:ae:6a:a7:53:8f:0e:96:eb:47:ba:
         03:1f:35:9e:36:e5:a5:36:8e:2e:4e:6c:11:e1:2d:88:b1:f2:
         d7:07:5a:be:15:55:86:45:6b:fc:b0:2b:4f:12:62:f8:ff:7a:
         f4:36:45:7a:fd:24:d9:0e:94:03:81:30:b9:23:e4:82:52:77:
         8d:41:5d:e7:88:63:2f:eb:e9:d5:74:9b:1e:82:a7:f7:11:42:
         37:b2:9f:96:45:3c:8d:23:e0:f6:64:04:1f:7d:6e:d9:d9:54:
         c3:e8:63:02:6b:de:f2:7a:8c:0e:05:6e:6a:be:49:79:db:64:
         ee:75:96:d9:1f:77:91:2e:83:0d:23:ce:3c:79:f7:4b:37:6d:
         2a:5c:eb:01:4b:30:30:48:fa:3e:c2:8d:9f:7d:77:06:d0:ea:
         1c:1f:30:b1:19:75:ee:63:49:da:25:13:e4:d4:aa:32:e8:47:
         40:a8:2c:cc:04:5b:27:11:02:60:c9:3e:d4:2b:87:9b:c3:de:
         38:2d:6a:0f:92:ec:03:c5:43:c9:4e:1a:96:78:9f:2d:a7:d3:
         80:c4:12:49:2a:bc:1b:db:93:ce:8d:0f:56:2e:2b:6b:84:46:
         8c:a9:25:6b:95:11:6a:f1:4c:ad:fc:a8:ef:bb:4c:47:8b:1f:
         91:f5:6c:5b
-----BEGIN CERTIFICATE-----
MIIGaTCCBVGgAwIBAgICAhMwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAkRF
MRIwEAYDVQQIDAlUaHVyaW5naWExDTALBgNVBAcMBEplbmExGTAXBgNVBAoMEElL
UyBTZXJ2aWNlIEdtYkgxDzANBgNVBAsMBklLUyBDQTEsMCoGA1UEAwwjQ0EgZGVy
IElLUyBTZXJ2aWNlIEdtYkggKFNJR04pIDIwMTcxHTAbBgkqhkiG9w0BCQEWDmNh
QGlrcy1qZW5hLmRlMB4XDTE3MDExODA5MzMyN1oXDTE4MDEyMzA5MzMyN1owgY8x
CzAJBgNVBAYTAkRFMRMwEQYDVQQIEwpUaHVlcmluZ2VuMQ0wCwYDVQQHEwRKZW5h
MRkwFwYDVQQKExBJS1MgU2VydmljZSBHbWJIMR4wHAYDVQQDExVleGNhbGlidXIu
aWtzLWplbmEuZGUxITAfBgkqhkiG9w0BCQEWEm5vY0Bpa3Mtc2VydmljZS5kZTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMQBKgXjNZ6EiGvlxWuQbkGG
2DD2b6B5S5yMbZJzfD5/8AuyMiRHXTHeuSZXR5qEMP7FlFQQ3fxv8AFd7Ntc4YCR
kLNSJTNp3GaSCTMy5Zvps0QBXDjFLvoRkV1iUYXEHA1xYk2L0cc+uD7SJCc0gzA6
lrErXrCv+aNo+uWAcs9134z2b6WDLNwuNk/SSyN5GuHsdWa0f5hfIMUGDk6EnxN6
jHIWdc9oN+FfCxFEkDXnoAjUJtIh6XPmCpEsMIPyT48ND0VIf+dRWsziY9rfW7cU
xRn8/Bp61i0h2MBa1u+us+iHyoNco2PJjVYJe7b/3rand3/eTfP3oRBfHiIpBL0C
AwEAAaOCArEwggKtMGEGCWCGSAGG+EIBDQRUFlJPd24gY29tcGFueSwgQ0EgQ0VS
VCBhdCBodHRwOi8vd3d3Lmlrcy1qZW5hLmRlL2xlaXN0dW5nZW4vY2EvaGlnaC9Y
LjUwOS9jYWNlcnQuZGVyMCoGCWCGSAGG+EIBAgQdFhtodHRwczovL3d3dy5pa3Mt
c2VydmljZS5kZS8wIgYJYIZIAYb4QgEIBBUWE2NhL2hpZ2gvcG9saWN5Lmh0bWww
CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJ
YIZIAYb4QgEBBAQDAgZAMB0GA1UdDgQWBBSsIDlALFkp2mH0Akc/Q4AFbbvagDCB
1gYDVR0jBIHOMIHLgBQtZWw8jBglGgbKnRrOVWcfPn+w6qGBr6SBrDCBqTELMAkG
A1UEBhMCREUxEjAQBgNVBAgMCVRodXJpbmdpYTENMAsGA1UEBwwESmVuYTEZMBcG
A1UECgwQSUtTIFNlcnZpY2UgR21iSDEPMA0GA1UECwwGSUtTIENBMSwwKgYDVQQD
DCNDQSBkZXIgSUtTIFNlcnZpY2UgR21iSCAoU0lHTikgMjAxNzEdMBsGCSqGSIb3
DQEJARYOY2FAaWtzLWplbmEuZGWCAQAwOQYIKwYBBQUHAQEELTArMCkGCCsGAQUF
BzABhh1odHRwOi8vb2NzcC5pa3MtamVuYS5kZTo4ODg4LzCBhAYDVR0RBH0we4IV
ZXhjYWxpYnVyLmlrcy1qZW5hLmRlghAqLm14Lmlrcy1qZW5hLmRlghMqLmRlLm14
Lmlrcy1qZW5hLmRlghQqLmNvbS5teC5pa3MtamVuYS5kZYITKi5ldS5teC5pa3Mt
amVuYS5kZYIQKi5kb25uZXJoYWNrZS5kZTANBgkqhkiG9w0BAQsFAAOCAQEARhB2
qkG66CKuaqdTjw6W60e6Ax81njblpTaOLk5sEeEtiLHy1wdavhVVhkVr/LArTxJi
+P969DZFev0k2Q6UA4EwuSPkglJ3jUFd54hjL+vp1XSbHoKn9xFCN7KflkU8jSPg
9mQEH31u2dlUw+hjAmve8nqMDgVuar5Jedtk7nWW2R93kS6DDSPOPHn3SzdtKlzr
AUswMEj6PsKNn313BtDqHB8wsRl17mNJ2iUT5NSqMuhHQKgszARbJxECYMk+1CuH
m8PeOC1qD5LsA8VDyU4alnifLafTgMQSSSq8G9uTzo0PVi4ra4RGjKkla5URavFM
rfyo77tMR4sfkfVsWw==
-----END CERTIFICATE-----


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Thuringia, L=Jena, O=IKS Service GmbH, OU=IKS CA, CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
        Validity
            Not Before: Jan  4 13:25:03 2017 GMT
            Not After : Feb  3 13:25:03 2019 GMT
        Subject: C=DE, ST=Thuringia, L=Jena, O=IKS Service GmbH, OU=IKS CA, CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f5:91:98:18:5b:72:17:a5:49:1c:85:66:46:c6:
                    b8:de:df:a8:34:59:ef:96:e9:f9:0b:42:93:13:42:
                    a1:4f:03:e8:4a:e0:2e:49:4e:80:8a:d3:7e:a5:94:
                    54:b1:fd:c1:10:3f:19:41:81:2d:b9:f7:27:68:8f:
                    67:5e:70:fc:68:a7:00:26:00:bf:6c:8c:07:ce:23:
                    ca:66:a6:7c:f8:e6:e2:54:0b:57:f6:aa:eb:1a:eb:
                    1b:b6:f5:43:f5:d9:f3:39:1d:50:6f:fb:7f:ea:2b:
                    49:31:c5:43:55:3b:67:da:c3:b7:8f:33:27:4c:b6:
                    60:52:82:3e:d9:29:4c:ea:17:1a:55:63:af:b5:4e:
                    b7:6c:73:9b:4f:71:b2:3a:10:28:70:bd:e1:2b:bc:
                    e1:54:0b:37:2c:30:99:78:7a:d0:ad:90:e7:c4:01:
                    74:30:fd:23:f2:f5:91:aa:da:35:cf:0c:7d:a4:2b:
                    ba:0f:94:4c:16:31:99:4f:19:d5:46:ac:56:c5:10:
                    09:b7:42:3c:a3:ed:61:aa:ab:5b:cb:ff:4c:27:0d:
                    41:0d:3a:17:23:dd:1c:54:87:79:ad:c5:56:7e:2c:
                    1d:ef:19:95:f3:ec:db:8e:94:e1:e8:ba:2e:0c:e2:
                    cb:c6:47:ce:38:0b:c7:9b:17:3a:29:2e:c2:af:e8:
                    99:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                2D:65:6C:3C:8C:18:25:1A:06:CA:9D:1A:CE:55:67:1F:3E:7F:B0:EA
            X509v3 Authority Key Identifier: 
                keyid:2D:65:6C:3C:8C:18:25:1A:06:CA:9D:1A:CE:55:67:1F:3E:7F:B0:EA
                DirName:/C=DE/ST=Thuringia/L=Jena/O=IKS Service GmbH/OU=IKS CA/CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
                serial:00


            Netscape Comment: 
                IKS CA
            Netscape Base Url: 
                https://www.iks-service.de/
            Netscape CA Policy Url: 
                ca/high/policy.html
    Signature Algorithm: sha256WithRSAEncryption
         87:24:14:a0:81:e6:49:63:65:2d:a1:07:f0:bf:be:4c:76:bc:
         fb:8f:9f:8f:3c:ed:f9:2e:fd:69:e1:e6:65:64:53:95:8e:b3:
         cf:25:03:90:d5:06:57:bb:24:e7:60:79:23:5a:52:1f:08:89:
         42:d8:29:a3:86:78:ab:9d:22:06:4d:5b:90:2c:b9:08:76:e3:
         6c:f9:0a:27:12:85:48:38:8a:e2:2f:e8:8a:05:fb:0e:42:14:
         6d:bb:2d:7b:9e:10:8a:55:49:f6:a8:6c:e9:74:27:ce:bd:5d:
         80:e5:01:2b:62:d7:ff:a9:e7:65:87:fc:b1:1b:a0:58:74:0b:
         14:b1:e8:ad:41:ad:c2:01:a3:af:b4:f1:ec:c0:7f:47:b9:bd:
         31:53:6c:50:b3:f0:8e:8d:ab:15:3a:f8:b8:c5:da:c4:12:2d:
         e4:55:d5:1e:88:2f:0e:84:03:ff:eb:06:7f:c5:f0:05:42:af:
         b3:0c:06:e1:84:b1:ac:20:ad:8c:6f:6b:69:15:b4:ae:7a:80:
         b8:c3:f8:cb:2a:b5:63:ed:d4:e5:3a:95:d7:d2:81:7c:6f:58:
         50:ba:e1:4f:50:d0:ca:ad:32:e5:ff:be:48:49:94:f9:61:d1:
         ed:a9:36:f5:14:a8:1e:3d:ae:93:64:a5:52:4f:40:d7:79:82:
         eb:cc:fa:b4
-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMCREUx
EjAQBgNVBAgMCVRodXJpbmdpYTENMAsGA1UEBwwESmVuYTEZMBcGA1UECgwQSUtT
IFNlcnZpY2UgR21iSDEPMA0GA1UECwwGSUtTIENBMSwwKgYDVQQDDCNDQSBkZXIg
SUtTIFNlcnZpY2UgR21iSCAoU0lHTikgMjAxNzEdMBsGCSqGSIb3DQEJARYOY2FA
aWtzLWplbmEuZGUwHhcNMTcwMTA0MTMyNTAzWhcNMTkwMjAzMTMyNTAzWjCBqTEL
MAkGA1UEBhMCREUxEjAQBgNVBAgMCVRodXJpbmdpYTENMAsGA1UEBwwESmVuYTEZ
MBcGA1UECgwQSUtTIFNlcnZpY2UgR21iSDEPMA0GA1UECwwGSUtTIENBMSwwKgYD
VQQDDCNDQSBkZXIgSUtTIFNlcnZpY2UgR21iSCAoU0lHTikgMjAxNzEdMBsGCSqG
SIb3DQEJARYOY2FAaWtzLWplbmEuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQD1kZgYW3IXpUkchWZGxrje36g0We+W6fkLQpMTQqFPA+hK4C5JToCK
036llFSx/cEQPxlBgS259ydoj2decPxopwAmAL9sjAfOI8pmpnz45uJUC1f2qusa
6xu29UP12fM5HVBv+3/qK0kxxUNVO2faw7ePMydMtmBSgj7ZKUzqFxpVY6+1Trds
c5tPcbI6EChwveErvOFUCzcsMJl4etCtkOfEAXQw/SPy9ZGq2jXPDH2kK7oPlEwW
MZlPGdVGrFbFEAm3Qjyj7WGqq1vL/0wnDUENOhcj3RxUh3mtxVZ+LB3vGZXz7NuO
lOHoui4M4svGR844C8ebFzopLsKv6JkHAgMBAAGjggGUMIIBkDARBglghkgBhvhC
AQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
FC1lbDyMGCUaBsqdGs5VZx8+f7DqMIHWBgNVHSMEgc4wgcuAFC1lbDyMGCUaBsqd
Gs5VZx8+f7DqoYGvpIGsMIGpMQswCQYDVQQGEwJERTESMBAGA1UECAwJVGh1cmlu
Z2lhMQ0wCwYDVQQHDARKZW5hMRkwFwYDVQQKDBBJS1MgU2VydmljZSBHbWJIMQ8w
DQYDVQQLDAZJS1MgQ0ExLDAqBgNVBAMMI0NBIGRlciBJS1MgU2VydmljZSBHbWJI
IChTSUdOKSAyMDE3MR0wGwYJKoZIhvcNAQkBFg5jYUBpa3MtamVuYS5kZYIBADAV
BglghkgBhvhCAQ0ECBYGSUtTIENBMCoGCWCGSAGG+EIBAgQdFhtodHRwczovL3d3
dy5pa3Mtc2VydmljZS5kZS8wIgYJYIZIAYb4QgEIBBUWE2NhL2hpZ2gvcG9saWN5
Lmh0bWwwDQYJKoZIhvcNAQELBQADggEBAIckFKCB5kljZS2hB/C/vkx2vPuPn488
7fku/Wnh5mVkU5WOs88lA5DVBle7JOdgeSNaUh8IiULYKaOGeKudIgZNW5AsuQh2
42z5CicShUg4iuIv6IoF+w5CFG27LXueEIpVSfaobOl0J869XYDlASti1/+p52WH
/LEboFh0CxSx6K1BrcIBo6+08ezAf0e5vTFTbFCz8I6NqxU6+LjF2sQSLeRV1R6I
Lw6EA//rBn/F8AVCr7MMBuGEsawgrYxva2kVtK56gLjD+MsqtWPt1OU6ldfSgXxv
WFC64U9Q0MqtMuX/vkhJlPlh0e2pNvUUqB49rpNkpVJPQNd5guvM+rQ=
-----END CERTIFICATE-----


==== avalon

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 569 (0x239)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Thuringia, L=Jena, O=IKS Service GmbH, OU=IKS CA, CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
        Validity
            Not Before: Oct 16 13:08:42 2017 GMT
            Not After : Nov 10 13:08:42 2018 GMT
        Subject: C=DE, ST=Thuringia, L=Jena, O=IKS Service GmbH, CN=avalon.iks-jena.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ad:cb:58:71:27:dd:ab:f7:07:73:d4:47:46:89:
                    6e:21:fe:e5:f9:9f:1b:08:3b:ce:ee:06:c7:64:57:
                    b7:99:86:1e:35:14:0d:9e:cc:e2:64:e6:dd:5a:87:
                    7c:5c:13:e0:2b:ea:d8:56:21:df:79:a1:87:f2:4b:
                    c0:d5:31:1a:77:0f:12:eb:97:a4:fc:49:70:c5:dd:
                    3d:28:a2:77:64:b7:04:69:91:a4:6e:56:43:b4:cf:
                    e5:02:7c:83:ce:0f:d2:e9:0a:18:3b:3e:ac:33:c7:
                    60:1a:6e:30:4d:59:19:b6:ae:a8:f6:47:89:28:59:
                    d4:59:75:f8:52:1b:04:ac:ec:d8:01:0b:83:b5:78:
                    3d:7b:f1:99:04:ac:ef:c3:70:80:5d:2b:7f:12:d3:
                    7d:69:ac:4f:4f:c7:a5:54:83:08:3a:48:57:51:35:
                    b8:68:46:6d:31:7b:80:8e:1e:d3:c3:d6:28:9b:85:
                    dc:1a:ff:1e:fc:ce:4a:70:fa:81:65:e2:6b:b3:6f:
                    2d:cd:5c:0b:21:8f:db:99:2e:4e:5e:48:18:6c:2e:
                    bc:26:e1:8b:bc:07:5c:20:d7:c3:85:91:cf:e5:82:
                    23:27:8a:ad:d0:bf:0c:0d:8e:06:e5:2d:00:ac:32:
                    f1:d0:6d:85:6e:d1:36:3d:0f:f1:94:62:7a:5a:b8:
                    52:a3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment: 
                Own company, CA CERT at http://www.iks-service.de/ca/high/X.509/cacert.der
            Netscape Base Url: 
                https://www.iks-service.de/
            Netscape CA Policy Url: 
                ca/high/policy.html
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            Netscape Cert Type: 
                SSL Server
            X509v3 Subject Key Identifier: 
                69:E3:8E:E9:84:13:93:43:23:A6:AA:10:9A:9C:2F:1F:C4:24:E9:AB
            X509v3 Authority Key Identifier: 
                keyid:2D:65:6C:3C:8C:18:25:1A:06:CA:9D:1A:CE:55:67:1F:3E:7F:B0:EA
                DirName:/C=DE/ST=Thuringia/L=Jena/O=IKS Service GmbH/OU=IKS CA/CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
                serial:00


            Authority Information Access: 
                OCSP - URI:http://ocsp.iks-jena.de:8888/


            X509v3 Subject Alternative Name: 
                DNS:avalon.iks-jena.de, DNS:ftp.iks-jena.de
    Signature Algorithm: sha256WithRSAEncryption
         b5:86:7e:2f:b7:75:e5:b4:c8:fd:8b:d6:26:94:36:46:1c:ac:
         ff:e2:50:93:8f:26:39:4d:53:ca:e2:ea:29:bd:01:4f:1b:ab:
         f9:e9:76:6c:75:4f:0e:76:b5:57:6f:6c:fd:26:6f:9b:88:9a:
         e7:cb:9a:0a:fb:d3:ae:9d:71:58:52:f7:57:b3:74:e7:71:91:
         e9:d9:e4:ff:fa:cc:ff:9d:b8:d7:9f:8e:5a:ff:f8:00:7a:b7:
         05:d5:09:51:52:74:8e:13:65:d5:88:b9:9f:78:94:8f:85:43:
         2f:e0:03:f9:da:00:7d:24:32:c0:7e:90:d1:81:22:56:dc:2b:
         6f:af:08:79:8d:3f:bc:3e:2b:b7:ac:06:b3:18:59:40:60:c9:
         88:04:cd:e0:22:4b:a1:7e:91:ac:db:04:13:af:2c:8d:12:e1:
         07:8f:6f:ca:ad:2b:03:41:04:33:e3:c7:b9:26:e1:95:54:ab:
         54:1b:5e:b6:24:96:c5:d8:1f:53:d9:b1:92:31:92:24:d9:00:
         6d:4d:c5:66:0d:a6:63:b7:a3:b2:1a:0c:3c:10:f9:04:23:fe:
         55:4f:d5:56:92:24:f1:f7:10:e8:fa:31:01:2b:d9:99:f1:ec:
         8d:0d:9a:60:c7:57:11:53:3e:bb:21:e7:2e:c1:e0:81:29:ef:
         8f:4f:36:59
-----BEGIN CERTIFICATE-----
MIIF4jCCBMqgAwIBAgICAjkwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAkRF
MRIwEAYDVQQIDAlUaHVyaW5naWExDTALBgNVBAcMBEplbmExGTAXBgNVBAoMEElL
UyBTZXJ2aWNlIEdtYkgxDzANBgNVBAsMBklLUyBDQTEsMCoGA1UEAwwjQ0EgZGVy
IElLUyBTZXJ2aWNlIEdtYkggKFNJR04pIDIwMTcxHTAbBgkqhkiG9w0BCQEWDmNh
QGlrcy1qZW5hLmRlMB4XDTE3MTAxNjEzMDg0MloXDTE4MTExMDEzMDg0MlowaDEL
MAkGA1UEBhMCREUxEjAQBgNVBAgTCVRodXJpbmdpYTENMAsGA1UEBxMESmVuYTEZ
MBcGA1UEChMQSUtTIFNlcnZpY2UgR21iSDEbMBkGA1UEAxMSYXZhbG9uLmlrcy1q
ZW5hLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArctYcSfdq/cH
c9RHRoluIf7l+Z8bCDvO7gbHZFe3mYYeNRQNnsziZObdWod8XBPgK+rYViHfeaGH
8kvA1TEadw8S65ek/Elwxd09KKJ3ZLcEaZGkblZDtM/lAnyDzg/S6QoYOz6sM8dg
Gm4wTVkZtq6o9keJKFnUWXX4UhsErOzYAQuDtXg9e/GZBKzvw3CAXSt/EtN9aaxP
T8elVIMIOkhXUTW4aEZtMXuAjh7Tw9Yom4XcGv8e/M5KcPqBZeJrs28tzVwLIY/b
mS5OXkgYbC68JuGLvAdcINfDhZHP5YIjJ4qt0L8MDY4G5S0ArDLx0G2FbtE2PQ/x
lGJ6WrhSowIDAQABo4ICUjCCAk4wWQYJYIZIAYb4QgENBEwWSk93biBjb21wYW55
LCBDQSBDRVJUIGF0IGh0dHA6Ly93d3cuaWtzLXNlcnZpY2UuZGUvY2EvaGlnaC9Y
LjUwOS9jYWNlcnQuZGVyMCoGCWCGSAGG+EIBAgQdFhtodHRwczovL3d3dy5pa3Mt
c2VydmljZS5kZS8wIgYJYIZIAYb4QgEIBBUWE2NhL2hpZ2gvcG9saWN5Lmh0bWww
CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwEQYJ
YIZIAYb4QgEBBAQDAgZAMB0GA1UdDgQWBBRp447phBOTQyOmqhCanC8fxCTpqzCB
1gYDVR0jBIHOMIHLgBQtZWw8jBglGgbKnRrOVWcfPn+w6qGBr6SBrDCBqTELMAkG
A1UEBhMCREUxEjAQBgNVBAgMCVRodXJpbmdpYTENMAsGA1UEBwwESmVuYTEZMBcG
A1UECgwQSUtTIFNlcnZpY2UgR21iSDEPMA0GA1UECwwGSUtTIENBMSwwKgYDVQQD
DCNDQSBkZXIgSUtTIFNlcnZpY2UgR21iSCAoU0lHTikgMjAxNzEdMBsGCSqGSIb3
DQEJARYOY2FAaWtzLWplbmEuZGWCAQAwOQYIKwYBBQUHAQEELTArMCkGCCsGAQUF
BzABhh1odHRwOi8vb2NzcC5pa3MtamVuYS5kZTo4ODg4LzAuBgNVHREEJzAlghJh
dmFsb24uaWtzLWplbmEuZGWCD2Z0cC5pa3MtamVuYS5kZTANBgkqhkiG9w0BAQsF
AAOCAQEAtYZ+L7d15bTI/YvWJpQ2Rhys/+JQk48mOU1TyuLqKb0BTxur+el2bHVP
Dna1V29s/SZvm4ia58uaCvvTrp1xWFL3V7N053GR6dnk//rM/52415+OWv/4AHq3
BdUJUVJ0jhNl1Yi5n3iUj4VDL+AD+doAfSQywH6Q0YEiVtwrb68IeY0/vD4rt6wG
sxhZQGDJiATN4CJLoX6RrNsEE68sjRLhB49vyq0rA0EEM+PHuSbhlVSrVBtetiSW
xdgfU9mxkjGSJNkAbU3FZg2mY7ejshoMPBD5BCP+VU/VVpIk8fcQ6PoxASvZmfHs
jQ2aYMdXEVM+uyHnLsHggSnvj082WQ==
-----END CERTIFICATE-----


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Thuringia, L=Jena, O=IKS Service GmbH, OU=IKS CA, CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
        Validity
            Not Before: Jan  4 13:25:03 2017 GMT
            Not After : Feb  3 13:25:03 2019 GMT
        Subject: C=DE, ST=Thuringia, L=Jena, O=IKS Service GmbH, OU=IKS CA, CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f5:91:98:18:5b:72:17:a5:49:1c:85:66:46:c6:
                    b8:de:df:a8:34:59:ef:96:e9:f9:0b:42:93:13:42:
                    a1:4f:03:e8:4a:e0:2e:49:4e:80:8a:d3:7e:a5:94:
                    54:b1:fd:c1:10:3f:19:41:81:2d:b9:f7:27:68:8f:
                    67:5e:70:fc:68:a7:00:26:00:bf:6c:8c:07:ce:23:
                    ca:66:a6:7c:f8:e6:e2:54:0b:57:f6:aa:eb:1a:eb:
                    1b:b6:f5:43:f5:d9:f3:39:1d:50:6f:fb:7f:ea:2b:
                    49:31:c5:43:55:3b:67:da:c3:b7:8f:33:27:4c:b6:
                    60:52:82:3e:d9:29:4c:ea:17:1a:55:63:af:b5:4e:
                    b7:6c:73:9b:4f:71:b2:3a:10:28:70:bd:e1:2b:bc:
                    e1:54:0b:37:2c:30:99:78:7a:d0:ad:90:e7:c4:01:
                    74:30:fd:23:f2:f5:91:aa:da:35:cf:0c:7d:a4:2b:
                    ba:0f:94:4c:16:31:99:4f:19:d5:46:ac:56:c5:10:
                    09:b7:42:3c:a3:ed:61:aa:ab:5b:cb:ff:4c:27:0d:
                    41:0d:3a:17:23:dd:1c:54:87:79:ad:c5:56:7e:2c:
                    1d:ef:19:95:f3:ec:db:8e:94:e1:e8:ba:2e:0c:e2:
                    cb:c6:47:ce:38:0b:c7:9b:17:3a:29:2e:c2:af:e8:
                    99:07
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type: 
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                2D:65:6C:3C:8C:18:25:1A:06:CA:9D:1A:CE:55:67:1F:3E:7F:B0:EA
            X509v3 Authority Key Identifier: 
                keyid:2D:65:6C:3C:8C:18:25:1A:06:CA:9D:1A:CE:55:67:1F:3E:7F:B0:EA
                DirName:/C=DE/ST=Thuringia/L=Jena/O=IKS Service GmbH/OU=IKS CA/CN=CA der IKS Service GmbH (SIGN) 2017/emailAddress=ca@???
                serial:00


            Netscape Comment: 
                IKS CA
            Netscape Base Url: 
                https://www.iks-service.de/
            Netscape CA Policy Url: 
                ca/high/policy.html
    Signature Algorithm: sha256WithRSAEncryption
         87:24:14:a0:81:e6:49:63:65:2d:a1:07:f0:bf:be:4c:76:bc:
         fb:8f:9f:8f:3c:ed:f9:2e:fd:69:e1:e6:65:64:53:95:8e:b3:
         cf:25:03:90:d5:06:57:bb:24:e7:60:79:23:5a:52:1f:08:89:
         42:d8:29:a3:86:78:ab:9d:22:06:4d:5b:90:2c:b9:08:76:e3:
         6c:f9:0a:27:12:85:48:38:8a:e2:2f:e8:8a:05:fb:0e:42:14:
         6d:bb:2d:7b:9e:10:8a:55:49:f6:a8:6c:e9:74:27:ce:bd:5d:
         80:e5:01:2b:62:d7:ff:a9:e7:65:87:fc:b1:1b:a0:58:74:0b:
         14:b1:e8:ad:41:ad:c2:01:a3:af:b4:f1:ec:c0:7f:47:b9:bd:
         31:53:6c:50:b3:f0:8e:8d:ab:15:3a:f8:b8:c5:da:c4:12:2d:
         e4:55:d5:1e:88:2f:0e:84:03:ff:eb:06:7f:c5:f0:05:42:af:
         b3:0c:06:e1:84:b1:ac:20:ad:8c:6f:6b:69:15:b4:ae:7a:80:
         b8:c3:f8:cb:2a:b5:63:ed:d4:e5:3a:95:d7:d2:81:7c:6f:58:
         50:ba:e1:4f:50:d0:ca:ad:32:e5:ff:be:48:49:94:f9:61:d1:
         ed:a9:36:f5:14:a8:1e:3d:ae:93:64:a5:52:4f:40:d7:79:82:
         eb:cc:fa:b4
-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMCREUx
EjAQBgNVBAgMCVRodXJpbmdpYTENMAsGA1UEBwwESmVuYTEZMBcGA1UECgwQSUtT
IFNlcnZpY2UgR21iSDEPMA0GA1UECwwGSUtTIENBMSwwKgYDVQQDDCNDQSBkZXIg
SUtTIFNlcnZpY2UgR21iSCAoU0lHTikgMjAxNzEdMBsGCSqGSIb3DQEJARYOY2FA
aWtzLWplbmEuZGUwHhcNMTcwMTA0MTMyNTAzWhcNMTkwMjAzMTMyNTAzWjCBqTEL
MAkGA1UEBhMCREUxEjAQBgNVBAgMCVRodXJpbmdpYTENMAsGA1UEBwwESmVuYTEZ
MBcGA1UECgwQSUtTIFNlcnZpY2UgR21iSDEPMA0GA1UECwwGSUtTIENBMSwwKgYD
VQQDDCNDQSBkZXIgSUtTIFNlcnZpY2UgR21iSCAoU0lHTikgMjAxNzEdMBsGCSqG
SIb3DQEJARYOY2FAaWtzLWplbmEuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQD1kZgYW3IXpUkchWZGxrje36g0We+W6fkLQpMTQqFPA+hK4C5JToCK
036llFSx/cEQPxlBgS259ydoj2decPxopwAmAL9sjAfOI8pmpnz45uJUC1f2qusa
6xu29UP12fM5HVBv+3/qK0kxxUNVO2faw7ePMydMtmBSgj7ZKUzqFxpVY6+1Trds
c5tPcbI6EChwveErvOFUCzcsMJl4etCtkOfEAXQw/SPy9ZGq2jXPDH2kK7oPlEwW
MZlPGdVGrFbFEAm3Qjyj7WGqq1vL/0wnDUENOhcj3RxUh3mtxVZ+LB3vGZXz7NuO
lOHoui4M4svGR844C8ebFzopLsKv6JkHAgMBAAGjggGUMIIBkDARBglghkgBhvhC
AQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYE
FC1lbDyMGCUaBsqdGs5VZx8+f7DqMIHWBgNVHSMEgc4wgcuAFC1lbDyMGCUaBsqd
Gs5VZx8+f7DqoYGvpIGsMIGpMQswCQYDVQQGEwJERTESMBAGA1UECAwJVGh1cmlu
Z2lhMQ0wCwYDVQQHDARKZW5hMRkwFwYDVQQKDBBJS1MgU2VydmljZSBHbWJIMQ8w
DQYDVQQLDAZJS1MgQ0ExLDAqBgNVBAMMI0NBIGRlciBJS1MgU2VydmljZSBHbWJI
IChTSUdOKSAyMDE3MR0wGwYJKoZIhvcNAQkBFg5jYUBpa3MtamVuYS5kZYIBADAV
BglghkgBhvhCAQ0ECBYGSUtTIENBMCoGCWCGSAGG+EIBAgQdFhtodHRwczovL3d3
dy5pa3Mtc2VydmljZS5kZS8wIgYJYIZIAYb4QgEIBBUWE2NhL2hpZ2gvcG9saWN5
Lmh0bWwwDQYJKoZIhvcNAQELBQADggEBAIckFKCB5kljZS2hB/C/vkx2vPuPn488
7fku/Wnh5mVkU5WOs88lA5DVBle7JOdgeSNaUh8IiULYKaOGeKudIgZNW5AsuQh2
42z5CicShUg4iuIv6IoF+w5CFG27LXueEIpVSfaobOl0J869XYDlASti1/+p52WH
/LEboFh0CxSx6K1BrcIBo6+08ezAf0e5vTFTbFCz8I6NqxU6+LjF2sQSLeRV1R6I
Lw6EA//rBn/F8AVCr7MMBuGEsawgrYxva2kVtK56gLjD+MsqtWPt1OU6ldfSgXxv
WFC64U9Q0MqtMuX/vkhJlPlh0e2pNvUUqB49rpNkpVJPQNd5guvM+rQ=
-----END CERTIFICATE-----