From 1d4622ebab69e499f532d6217f699b7a37970068 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 6 May 2016 15:12:53 -0400 Subject: [PATCH 01/11] Additional checks in run_protocols() One server I am testing responds to an SSLv3 ClientHello with TLSv1.2. If tls_sockets is being used, then testssl.sh responds with "#FIXME: downgraded. still missing a test case here." This PR fixes that, and in general checks the responses in run_protocols() more closely. If tls_sockets is being used and the connection fails even though the server supports an earlier version of SSL/TLS, then it flags an error. If tls_sockets returns 2, then it verifies that $DETECTED_TLS_VERSION is equal to the highest version number supported by the server (that is also less than the version number in the ClientHello). In addition, in order to test servers' support for version negotiation, it adds a new test that sends a TLSv1.4 ClientHello and verifies that the server responds with the highest version number that it supports. (This test only runs if both $using_sockets and $EXPERIMENTAL are true and server actually supports some version of SSL/TLS other than SSLv2.) --- testssl.sh | 195 +++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 161 insertions(+), 34 deletions(-) diff --git a/testssl.sh b/testssl.sh index 8d133d4..1869d06 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2224,31 +2224,34 @@ run_protocols() { local using_sockets=true local supported_no_ciph1="supported but couldn't detect a cipher (may need debugging)" local supported_no_ciph2="supported but couldn't detect a cipher" - local via="" + local latest_supported="" # version.major and version.minor of highest version supported by the server. + local detected_version_string latest_supported_string + local extra_spaces="" outln; pr_headline " Testing protocols " - via="Protocol tested " #FIXME: use PROTOS_OFFERED here if $SSL_NATIVE; then using_sockets=false pr_headlineln "(via native openssl)" - via+="via native openssl" else if [[ -n "$STARTTLS" ]]; then pr_headlineln "(via openssl, SSLv2 via sockets) " - via+="via openssl, SSLv2 via sockets" using_sockets=false else using_sockets=true - pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) " - via+="via sockets except for TLS1.2, SPDY+HTTP2" + if $EXPERIMENTAL; then + pr_headlineln "(via sockets except SPDY+HTTP2) " + extra_spaces=" " + else + pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) " + fi fi fi outln - pr_bold " SSLv2 "; + pr_bold " SSLv2 $extra_spaces"; if ! $SSL_NATIVE; then sslv2_sockets #FIXME: messages need to be moved to this higher level else @@ -2272,7 +2275,7 @@ run_protocols() { esac fi - pr_bold " SSLv3 "; + pr_bold " SSLv3 $extra_spaces"; if $using_sockets; then tls_sockets "00" "$TLS_CIPHER" else @@ -2282,14 +2285,22 @@ run_protocols() { 0) pr_svrty_highln "offered (NOT ok)" fileout "sslv3" "NOT ok" "SSLv3 is offered (NOT ok)" + latest_supported="0300" + latest_supported_string="SSLv3" ;; 1) pr_done_bestln "not offered (OK)" fileout "sslv3" "OK" "SSLv3 is not offered (OK)" ;; 2) - pr_warningln "#FIXME: downgraded. still missing a test case here" - fileout "sslv3" "WARN" "SSLv3: #FIXME: downgraded. still missing a test case here" + if [[ "$DETECTED_TLS_VERSION" == 03* ]]; then + detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" + pr_svrty_criticalln "server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + fileout "sslv3" "NOT ok" "SSLv3: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + else + pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "sslv3" "NOT ok" "SSLv3: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fi ;; 5) fileout "sslv3" "WARN" "SSLv3 is $supported_no_ciph1" @@ -2301,7 +2312,7 @@ run_protocols() { ;; # no local support esac - pr_bold " TLS 1 "; + pr_bold " TLS 1 $extra_spaces"; if $using_sockets; then tls_sockets "01" "$TLS_CIPHER" else @@ -2311,16 +2322,33 @@ run_protocols() { 0) outln "offered" fileout "tls1" "INFO" "TLSv1.0 is offered" + latest_supported="0301" + latest_supported_string="TLSv1.0" ;; # nothing wrong with it -- per se 1) - outln "not offered" - fileout "tls1" "INFO" "TLSv1.0 is not offered" - ;; # neither good or bad + out "not offered" + if ! $using_sockets || [[ -z $latest_supported ]]; then + outln + fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad + else + pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" + fileout "tls1" "NOT ok" "TLSv1.0: connection failed rather than downgrading to $latest_supported_string (NOT ok)" + fi + ;; 2) pr_svrty_medium "not offered (NOT ok)" - [[ $DEBUG -eq 1 ]] && out " -- downgraded" - outln - fileout "tls1" "NOT ok" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)" + if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then + [[ $DEBUG -eq 1 ]] && out " -- downgraded" + outln + fileout "tls1" "NOT ok" "TLSv1.0 is not offered, and downgraded to SSL (NOT ok)" + elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then + detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" + pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client" + fileout "tls1" "NOT ok" "TLSv1.0: server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + else + pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" + fileout "tls1" "NOT ok" "TLSv1.0: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fi ;; 5) outln "$supported_no_ciph1" # protocol ok, but no cipher @@ -2331,7 +2359,7 @@ run_protocols() { ;; # no local support esac - pr_bold " TLS 1.1 "; + pr_bold " TLS 1.1 $extra_spaces"; if $using_sockets; then tls_sockets "02" "$TLS_CIPHER" else @@ -2341,16 +2369,36 @@ run_protocols() { 0) outln "offered" fileout "tls1_1" "INFO" "TLSv1.1 is offered" + latest_supported="0302" + latest_supported_string="TLSv1.1" ;; # nothing wrong with it 1) - outln "not offered" - fileout "tls1_1" "INFO" "TLSv1.1 is not offered" - ;; # neither good or bad + out "not offered" + if ! $using_sockets || [[ -z $latest_supported ]]; then + outln + fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad + else + pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string" + fileout "tls1_1" "NOT ok" "TLSv1.1: connection failed rather than downgrading to $latest_supported_string (NOT ok)" + fi + ;; 2) out "not offered" - [[ $DEBUG -eq 1 ]] && out " -- downgraded" - outln - fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, and downgraded to a weaker protocol (NOT ok)" + if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then + [[ $DEBUG -eq 1 ]] && out " -- downgraded" + outln + fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, and downgraded to a weaker protocol (NOT ok)" + elif [[ "$DETECTED_TLS_VERSION" == "0300" ]] && [[ "$latest_supported" == "0301" ]]; then + pr_svrty_criticalln " -- server supports TLSv1.0, but downgraded to SSLv3 (NOT ok)" + fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, and downgraded to SSLv3 rather than TLSv1.0 (NOT ok)" + elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0302 ]]; then + detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" + pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + fileout "tls1_1" "NOT ok" "TLSv1.1 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + else + pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "tls1" "NOT ok" "TLSv1.1: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fi ;; 5) outln "$supported_no_ciph1" @@ -2361,7 +2409,7 @@ run_protocols() { ;; # no local support esac - pr_bold " TLS 1.2 "; + pr_bold " TLS 1.2 $extra_spaces"; if $using_sockets && $EXPERIMENTAL; then #TODO: IIS servers do have a problem here with our handshake tls_sockets "03" "$TLS12_CIPHER" else @@ -2371,16 +2419,40 @@ run_protocols() { 0) pr_done_bestln "offered (OK)" fileout "tls1_2" "OK" "TLSv1.2 is offered (OK)" + latest_supported="0303" + latest_supported_string="TLSv1.2" ;; # GCM cipher in TLS 1.2: very good! 1) - pr_svrty_mediumln "not offered (NOT ok)" - fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered (NOT ok)" - ;; # no GCM, penalty + pr_svrty_medium "not offered (NOT ok)" + if ! $using_sockets || ! $EXPERIMENTAL || [[ -z $latest_supported ]]; then + outln + fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered (NOT ok)" # no GCM, penalty + else + pr_svrty_criticalln " -- connection failed rather than downgrading to $latest_supported_string" + fileout "tls1_1" "NOT ok" "TLSv1.2: connection failed rather than downgrading to $latest_supported_string" + fi + ;; 2) - pr_svrty_medium "not offered (NOT ok)" - [[ $DEBUG -eq 1 ]] && out " -- downgraded" - outln - fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered and downgraded to a weaker protocol (NOT ok)" + pr_svrty_medium "not offered (NOT ok)" + if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then + detected_version_string="SSLv3" + elif [[ "$DETECTED_TLS_VERSION" == 03* ]]; then + detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" + fi + if [[ "$DETECTED_TLS_VERSION" == "$latest_supported" ]]; then + [[ $DEBUG -eq 1 ]] && out " -- downgraded" + outln + fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered and downgraded to a weaker protocol (NOT ok)" + elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then + pr_svrty_criticalln " -- server supports $latest_supported_string, but downgraded to $detected_version_string" + fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, and downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)" + elif [[ "$DETECTED_TLS_VERSION" == 03* ]] && [[ 0x$DETECTED_TLS_VERSION -gt 0x0303 ]]; then + pr_svrty_criticalln " -- server responded with higher version number ($detected_version_string) than requested by client" + fileout "tls1_2" "NOT ok" "TLSv1.2 is not offered, server responded with higher version number ($detected_version_string) than requested by client (NOT ok)" + else + pr_svrty_criticalln " -- server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2}" + fileout "tls1" "NOT ok" "TLSv1.2: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fi ;; 5) outln "$supported_no_ciph1" @@ -2390,6 +2462,55 @@ run_protocols() { fileout "tls1_2" "INFO" "TLSv1.2 is not tested due to lack of local support" ;; # no local support esac + + # Testing version negotiation. RFC 5246, Appendix E.1, states: + # + # If a TLS server receives a ClientHello containing a version number + # greater than the highest version supported by the server, it MUST + # reply according to the highest version supported by the server. + if [[ -n $latest_supported ]] && $using_sockets && $EXPERIMENTAL; then + pr_bold " Version Negotiation "; + tls_sockets "05" "$TLS12_CIPHER" + case $? in + 0) + pr_svrty_criticalln "server claims support for non-existent TLSv1.4" + fileout "TLS Version Negotiation" "NOT ok" "Server claims support for non-existent TLSv1.4 (NOT ok)" + ;; + 1) + pr_svrty_criticalln "version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" + fileout "TLS Version Negotiation" "NOT ok" "Version negotiation did not work -- connection failed rather than downgrading to $latest_supported_string (NOT ok)" + ;; + 2) + case $DETECTED_TLS_VERSION in + 0304) + pr_svrty_criticalln "server claims support for TLSv1.3, which is still a working draft (NOT ok)" + fileout "TLS Version Negotiation" "NOT ok" "Server claims support for TLSv1.3, which is still a working draft (NOT ok)" + ;; + 0303|0302|0301|0300) + if [[ "$DETECTED_TLS_VERSION" == "0300" ]]; then + detected_version_string="SSLv3" + else + detected_version_string="TLSv1.$((0x$DETECTED_TLS_VERSION-0x0301))" + fi + if [[ 0x$DETECTED_TLS_VERSION -lt 0x$latest_supported ]]; then + pr_svrty_criticalln "server supports $latest_supported_string, but downgraded to $detected_version_string (NOT ok)" + fileout "TLS Version Negotiation" "NOT ok" "Downgraded to $detected_version_string rather than $latest_supported_string (NOT ok)" + else + pr_done_bestln "downgraded to $detected_version_string (OK)" + fileout "TLS Version Negotiation" "OK" "Downgraded to $detected_version_string" + fi + ;; + *) + pr_svrty_criticalln "server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + fileout "TLS Version Negotiation" "NOT ok" "TLSv1.4: server responded with version number ${DETECTED_TLS_VERSION:0:2}.${DETECTED_TLS_VERSION:2:2} (NOT ok)" + ;; + esac ;; + 5) + pr_svrty_criticalln "server claims support for non-existent TLSv1.4 (NOT ok)" + fileout "TLS Version Negotiation" "NOT ok" "Server claims support for non-existent TLSv1.4 (NOT ok)" + ;; + esac + fi return 0 } @@ -3689,8 +3810,11 @@ http2_pre(){ run_spdy() { local tmpstr local -i ret=0 + extra_spaces="" - pr_bold " SPDY/NPN " + ! $SSL_NATIVE && [[ -z "$STARTTLS" ]] && $EXPERIMENTAL && extra_spaces=" " + + pr_bold " SPDY/NPN $extra_spaces" if ! spdy_pre ; then outln return 0 @@ -3727,8 +3851,11 @@ run_http2() { local -i ret=0 local had_alpn_proto=false local alpn_finding="" + extra_spaces="" - pr_bold " HTTP2/ALPN " + ! $SSL_NATIVE && [[ -z "$STARTTLS" ]] && $EXPERIMENTAL && extra_spaces=" " + + pr_bold " HTTP2/ALPN $extra_spaces" if ! http2_pre ; then outln return 0 From 346c52dc7c65b87cce9881b5e045756ee1c26f7e Mon Sep 17 00:00:00 2001 From: David Cooper Date: Wed, 20 Jul 2016 11:37:51 -0400 Subject: [PATCH 02/11] CA names with domain component attributes `certificate_info()` does not correctly display the Issuer name for CAs that use domain component attributes. There is a server on the NIST intra-net that I test against that has a certificate issued by a NIST CA, and the issuer name in the certificate is of the form: `/DC=net/DC=example/DC=internal/CN=CAname` Since there is no organizational name, testssl.sh displays the name as: ``` Issuer "CAname" ("") ``` In this PR, if the Issuer name has 'DC=' attributes, but does not have an 'O=' attribute, the "DC=" attributes are combined into a DNS name that is used as if it were the organizational name: ``` Issuer "CAname" ("internal.example.net") ``` I should note, however, that I have not been able to find any other examples of TLS server certificates that have been issued by CAs that have domain components ("DC=") in their names. So, it may not be worthwhile to change the code to try to accommodate such CAs. --- testssl.sh | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/testssl.sh b/testssl.sh index e513d20..194b8df 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3839,7 +3839,7 @@ certificate_info() { local ocsp_response=$5 local ocsp_response_status=$6 local cert_sig_algo cert_sig_hash_algo cert_key_algo - local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer sans san cn cn_nosni + local expire days2expire secs2warn ocsp_uri crl startdate enddate issuer_CN issuer_C issuer_O issuer_DC issuer issuerfinding sans san cn cn_nosni local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial local policy_oid local spaces="" @@ -4146,22 +4146,33 @@ certificate_info() { issuer_CN="$(awk -F'=' '/CN=/ { print $2 }' <<< "$issuer")" issuer_O="$(awk -F'=' '/O=/ { print $2 }' <<< "$issuer")" issuer_C="$(awk -F'=' '/ C=/ { print $2 }' <<< "$issuer")" + issuer_DC="$(awk -F'=' '/DC=/ { print $2 }' <<< "$issuer")" if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then pr_svrty_criticalln "self-signed (NOT ok)" fileout "${json_prefix}issuer" "NOT ok" "Issuer: selfsigned (NOT ok)" else - pr_dquoted "$issuer_CN" - out " (" - pr_dquoted "$issuer_O" - if [[ -n "$issuer_C" ]]; then - out " from " - pr_dquoted "$issuer_C" - fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" from \"$issuer_C\")" - else - fileout "${json_prefix}issuer" "INFO" "Issuer: \"$issuer_CN\" ( \"$issuer_O\" )" + issuerfinding="$(pr_dquoted "$issuer_CN")" + if [[ -z "$issuer_O" ]] && [[ -n "$issuer_DC" ]]; then + for san in $issuer_DC; do + if [[ -z "$issuer_O" ]]; then + issuer_O="${san}" + else + issuer_O="${san}.${issuer_O}" + fi + done fi - outln ")" + if [[ -n "$issuer_O" ]]; then + issuerfinding+=" (" + issuerfinding+="$(pr_dquoted "$issuer_O")" + if [[ -n "$issuer_C" ]]; then + issuerfinding+=" from " + issuerfinding+="$(pr_dquoted "$issuer_C")" + fi + issuerfinding+=")" + fi + outln "$issuerfinding" + fileout "${json_prefix}issuer" "INFO" "Issuer: $issuerfinding" fi # http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp From df64e47fb9c21efb98147fe64624b23e94d0baa1 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 22 Jul 2016 11:31:52 -0400 Subject: [PATCH 03/11] CN <--> hostname match PR to address issue #94 (CN <--> hostname match) --- testssl.sh | 314 ++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 227 insertions(+), 87 deletions(-) diff --git a/testssl.sh b/testssl.sh index a857644..bd65d84 100755 --- a/testssl.sh +++ b/testssl.sh @@ -3586,7 +3586,7 @@ determine_trust() { if [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.0.2" ]] && [[ $OSSL_VER_MAJOR.$OSSL_VER_MINOR != "1.1.0" ]]; then addtl_warning="(Your openssl <= 1.0.2 might be too unreliable to determine trust)" - fileout "${json_prefix}trust_warn" "WARN" "$addtl_warning" + fileout "${json_prefix}chain_of_trust_warn" "WARN" "$addtl_warning" fi debugme outln for bundle_fname in $ca_bundles; do @@ -3624,7 +3624,7 @@ determine_trust() { # all stores ok pr_done_good "Ok "; pr_warning "$addtl_warning" # we did to stdout the warning above already, so we could stay here with INFO: - fileout "${json_prefix}trust" "OK" "All certificate trust checks passed. $addtl_warning" + fileout "${json_prefix}chain_of_trust" "OK" "All certificate trust checks passed. $addtl_warning" else # at least one failed pr_svrty_critical "NOT ok" @@ -3632,7 +3632,7 @@ determine_trust() { # all failed (we assume with the same issue), we're displaying the reason out " " verify_retcode_helper "${verify_retcode[2]}" - fileout "${json_prefix}trust" "NOT ok" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning" + fileout "${json_prefix}chain_of_trust" "NOT ok" "All certificate trust checks failed: $(verify_retcode_helper "${verify_retcode[2]}"). $addtl_warning" else # is one ok and the others not ==> display the culprit store if $some_ok ; then @@ -3655,7 +3655,7 @@ determine_trust() { [[ "$DEBUG" -eq 0 ]] && out "$spaces" pr_done_good "OK: $ok_was" fi - fileout "${json_prefix}trust" "NOT ok" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" + fileout "${json_prefix}chain_of_trust" "NOT ok" "Some certificate trust checks failed : OK : $ok_was NOT ok: $notok_was $addtl_warning" fi [[ -n "$addtl_warning" ]] && out "\n$spaces" && pr_warning "$addtl_warning" fi @@ -3792,42 +3792,128 @@ get_cn_from_cert() { return $? } -# Return 0 if the server name provided in arg1 matches the CN or SAN in arg2, otherwise return 1. +# Return 0 if the name provided in arg1 is a wildcard name +is_wildcard() +{ + local certname="$1" + + # If the first label in the DNS name begins "xn--", then assume it is an + # A-label and not a wildcard name (RFC 6125, Section 6.4.3). + [[ "${certname:0:4}" == "xn--" ]] && return 1 + + # Remove part of name preceding '*' or '.'. If no "*" appears in the + # left-most label, then it is not a wildcard name (RFC 6125, Section 6.4.3). + basename="$(echo -n "$certname" | sed 's/^[a-zA-Z0-9\-]*//')" + [[ "${basename:0:1}" != "*" ]] && return 1 # not a wildcard name + + # Check that there are no additional wildcard ('*') characters or any + # other characters that do not belong in a DNS name. + [[ -n $(echo -n "${basename:1}" | sed 's/^[\.a-zA-Z0-9\-]*//') ]] && return 1 + return 0 +} + +# Return 0 if the name provided in arg2 is a wildcard name and it matches the name provided in arg1. +wildcard_match() +{ + local servername="$1" + local certname="$2" + local basename + local -i basename_offset len_certname len_part1 len_basename + local -i len_servername len_wildcard + + len_servername=${#servername} + len_certname=${#certname} + + # Use rules from RFC 6125 to perform the match. + + # Assume the "*" in the wildcard needs to be replaced by one or more + # characters, although RFC 6125 is not clear about that. + [[ $len_servername -lt $len_certname ]] && return 1 + + is_wildcard "$certname" + [[ $? -ne 0 ]] && return 1 + + # Comparisons of DNS names are case insenstive, so convert both names to uppercase. + certname="$(toupper "$certname")" + servername="$(toupper "$servername")" + + # Extract part of name that comes after the "*" + basename="$(echo -n "$certname" | sed 's/^[A-Z0-9\-]*\*//')" + len_basename=${#basename} + len_part1=$len_certname-$len_basename-1 + len_wildcard=$len_servername-$len_certname+1 + basename_offset=$len_servername-$len_basename + + # Check that initial part of $servername matches initial part of $certname + # and that final part of $servername matches final part of $certname. + [[ "${servername:0:len_part1}" != "${certname:0:len_part1}" ]] && return 1 + [[ "${servername:basename_offset:len_basename}" != "$basename" ]] && return 1 + + # Check that part of $servername that matches "*" is all part of a single + # domain label. + [[ -n $(echo -n "${servername:len_part1:len_wildcard}" | sed 's/^[A-Z0-9\-]*//') ]] && return 1 + + return 0 +} + +# Compare the server name provided in arg1 to the CN and SAN in arg2 and return: +# 0, if server name provided does not match any of the names in the CN or SAN +# 1, if the server name provided matches a name in the SAN +# 2, if the server name provided is a wildcard match against a name in the SAN +# 4, if the server name provided matches the CN +# 5, if the server name provided matches the CN AND a name in the SAN +# 6, if the server name provided matches the CN AND is a wildcard match against a name in the SAN +# 8, if the server name provided is a wildcard match against the CN +# 9, if the server name provided matches a name in the SAN AND is a wildcard match against the CN +# 10, if the server name provided is a wildcard match against the CN AND a name in the SAN + compare_server_name_to_cert() { - local servername=$1 - local cert=$2 - local cn dns_sans ip_sans san basename - - cn="$(get_cn_from_cert $cert)" - if [[ -n "$cn" ]]; then - [[ "$cn" == "$servername" ]] && return 0 - # If the CN contains a wildcard name, then do a wildcard match - if echo -n "$cn" | grep -q '^*.'; then - basename="$(echo -n "$cn" | sed 's/^\*.//')" - [[ "$cn" == "*.$basename" ]] && [[ "$servername" == *".$basename" ]] && return 0 - fi - fi + local servername="$(toupper "$1")" + local cert="$2" + local cn dns_sans ip_sans san + local -i ret=0 # Check whether any of the DNS names in the certificate match the servername - dns_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ + dns_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ tr ',' '\n' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g') for san in $dns_sans; do - [[ "$san" == "$servername" ]] && return 0 - # If $san is a wildcard name, then do a wildcard match - if echo -n "$san" | grep -q '^*.'; then - basename="$(echo -n "$san" | sed 's/^\*.//')" - [[ "$san" == "*.$basename" ]] && [[ "$servername" == *".$basename" ]] && return 0 - fi + [[ $(toupper "$san") == "$servername" ]] && ret=1 && break done - # Check whether any of the IP addresses in the certificate match the serername - ip_sans=$($OPENSSL x509 -in $cert -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ - tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g') - for san in $ip_sans; do - [[ "$san" == "$servername" ]] && return 0 - done - return 1 + if [[ $req -eq 0 ]]; then + # Check whether any of the IP addresses in the certificate match the servername + ip_sans=$($OPENSSL x509 -in "$cert" -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ + tr ',' '\n' | grep "IP Address:" | sed -e 's/IP Address://g' -e 's/ //g') + for san in $ip_sans; do + [[ "$san" == "$servername" ]] && ret=1 && break + done + fi + + # Check whether any of the DNS names in the certificate are wildcard names + # that match the servername + if [[ $req -eq 0 ]]; then + for san in $dns_sans; do + wildcard_match "$servername" "$san" + [[ $? -eq 0 ]] && ret=2 && break + done + fi + + cn="$(get_cn_from_cert "$cert")" + + # If the CN contains any characters that are not valid for a DNS name, + # then assume it does not contain a DNS name. + [[ -n $(echo -n "$cn" | sed 's/^[\.a-zA-Z0-9*\-]*//') ]] && return $ret + + # Check whether the CN in the certificate matches the servername + [[ $(toupper "$cn") == "$servername" ]] && ret+=4 && return $ret + + # Check whether the CN in the certificate is a wildcard name that matches + # the servername + wildcard_match "$servername" "$cn" + [[ $? -eq 0 ]] && ret+=8 + + return $ret } certificate_info() { @@ -3844,9 +3930,9 @@ certificate_info() { local cert_fingerprint_sha1 cert_fingerprint_sha2 cert_fingerprint_serial local policy_oid local spaces="" - local wildcard=false + local trust_sni=0 trust_nosni=0 has_dns_sans local -i certificates_provided - local cnfinding + local cnfinding trustfinding trustfinding_nosni local cnok="OK" local expfinding expok="OK" local json_prefix="" # string to place at beginng of JSON IDs when there is more than one certificate @@ -4058,19 +4144,6 @@ certificate_info() { if [[ -n "$cn" ]]; then pr_dquoted "$cn" cnfinding="$cn" - if echo -n "$cn" | grep -q '^*.' ; then - out " (wildcard certificate" - cnfinding+="(wildcard certificate " - if [[ "$cn" == "*.$(echo -n "$cn" | sed 's/^\*.//')" ]]; then - out " match)" - cnfinding+=" match)" - wildcard=true - else - cnfinding+=" NO match)" - cnok="INFO" - #FIXME: we need to test also the SANs as they can contain a wild card (google.de .e.g) ==> 2.7dev - fi - fi else cn="no CN field in subject" out "($cn)" @@ -4088,40 +4161,23 @@ certificate_info() { #FIXME: check for SSLv3/v2 and look whether it goes to a different CN (probably not polite) debugme out "\"$NODE\" | \"$cn\" | \"$cn_nosni\"" - if [[ "$cn_nosni" == "$cn" ]]; then - outln " (works w/o SNI)" - cnfinding+=" (works w/o SNI)" - elif [[ $NODE == "$cn_nosni" ]]; then - if [[ $SERVICE == "HTTP" ]] || $CLIENT_AUTH ; then - outln " (works w/o SNI)" - cnfinding+=" (works w/o SNI)" - else - outln " (matches certificate directly)" - cnfinding+=" (matches certificate directly)" - # for services != HTTP it depends on the protocol, server and client but it is not named "SNI" + if [[ "$(toupper "$cn_nosni")" == "$(toupper "$cn")" ]]; then + outln + elif [[ -z "$cn_nosni" ]]; then + out " (request w/o SNI didn't succeed"; + cnfinding+=" (request w/o SNI didn't succeed" + if [[ $cert_sig_algo =~ ecdsa ]]; then + out ", usual for EC certificates" + cnfinding+=", usual for EC certificates" fi + outln ")" + cnfinding+=")" + elif [[ "$cn_nosni" == *"no CN field"* ]]; then + outln ", (request w/o SNI: $cn_nosni)" + cnfinding+=", (request w/o SNI: $cn_nosni)" else - if [[ $SERVICE != "HTTP" ]]; then - outln - cnfinding+="\n" - #pr_svrty_mediumln " (non-SNI clients don't match CN but for non-HTTP services it might be ok)" - #FIXME: this is irritating and needs to be redone. Then also the wildcard match needs to be tested against "$cn_nosni" - elif [[ -z "$cn_nosni" ]]; then - out " (request w/o SNI didn't succeed"; - cnfinding+=" (request w/o SNI didn't succeed" - if [[ $cert_sig_algo =~ ecdsa ]]; then - out ", usual for EC certificates" - cnfinding+=", usual for EC certificates" - fi - outln ")" - cnfinding+=")" - elif [[ "$cn_nosni" == *"no CN field"* ]]; then - outln ", (request w/o SNI: $cn_nosni)" - cnfinding+=", (request w/o SNI: $cn_nosni)" - else - out " (CN in response to request w/o SNI: "; pr_dquoted "$cn_nosni"; outln ")" - cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")" - fi + out " (CN in response to request w/o SNI: "; pr_dquoted "$cn_nosni"; outln ")" + cnfinding+=" (CN in response to request w/o SNI: \"$cn_nosni\")" fi fileout "${json_prefix}cn" "$cnok" "$cnfinding" @@ -4178,6 +4234,90 @@ certificate_info() { fileout "${json_prefix}issuer" "INFO" "Issuer: $issuerfinding" fi + out "$indent"; pr_bold " Trust " + compare_server_name_to_cert "$NODE" "$HOSTCERT" + trust_sni=$? + + # Find out if the subjectAltName extension is present and contains + # a DNS name, since Section 6.3 of RFC 6125 says: + # Security Warning: A client MUST NOT seek a match for a reference + # identifier of CN-ID if the presented identifiers include a DNS-ID, + # SRV-ID, URI-ID, or any application-specific identifier types + # supported by the client. + $OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | \ + grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \ + has_dns_sans=true || has_dns_sans=false + + case $trust_sni in + 0) trustfinding="certificate does not match URI" ;; + 1) trustfinding="Ok via SAN" ;; + 2) trustfinding="Ok via SAN wildcard" ;; + 4) if $has_dns_sans; then + trustfinding="Ok via CN, but not SAN" + else + trustfinding="Ok via CN" + fi + ;; + 5) trustfinding="Ok via SAN and CN" ;; + 6) trustfinding="Ok via SAN wildcard and CN" + ;; + 8) if $has_dns_sans; then + trustfinding="Ok via CN wildcard, but not SAN" + else + trustfinding="Ok via CN wildcard" + fi + ;; + 9) trustfinding="Ok via CN wildcard and SAN" + ;; + 10) trustfinding="Ok via SAN wildcard and CN wildcard" + ;; + esac + + if [[ $trust_sni -eq 0 ]]; then + pr_svrty_medium "$trustfinding" + trust_sni="fail" + elif $has_dns_sans && ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then + pr_svrty_medium "$trustfinding" + trust_sni="warn" + else + out "$trustfinding" + trust_sni="ok" + fi + + if [[ -n "$cn_nosni" ]]; then + compare_server_name_to_cert "$NODE" "$HOSTCERT.nosni" + trust_nosni=$? + $OPENSSL x509 -in "$HOSTCERT.nosni" -noout -text 2>>$ERRFILE | \ + grep -A2 "Subject Alternative Name" | grep -q "DNS:" && \ + has_dns_sans=true || has_dns_sans=false + fi + + if $has_dns_sans && [[ $trust_nosni -eq 4 ]]; then + trustfinding_nosni=" (w/o SNI: Ok via CN, but not SAN)" + elif $has_dns_sans && [[ $trust_nosni -eq 8 ]]; then + trustfinding_nosni=" (w/o SNI: Ok via CN wildcard, but not SAN)" + elif [[ $trust_nosni -eq 0 ]] && ( [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]] ); then + trustfinding_nosni=" (SNI mandatory)" + elif [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]]; then + trustfinding_nosni=" (works w/o SNI)" + elif [[ $trust_nosni -ne 0 ]]; then + trustfinding_nosni=" (however, works w/o SNI)" + else + trustfinding_nosni="" + outln + fi + if $has_dns_sans && ( [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] ); then + pr_svrty_mediumln "$trustfinding_nosni" + else + outln "$trustfinding_nosni" + fi + + if [[ "$trust_sni" == "ok" ]]; then + fileout "${json_prefix}trust" "INFO" "${trustfinding}${trustfinding_nosni}" + else + fileout "${json_prefix}trust" "WARN" "${trustfinding}${trustfinding_nosni}" + fi + # http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp out "$indent"; pr_bold " EV cert"; out " (experimental) " # only the first one, seldom we have two @@ -4400,23 +4540,23 @@ run_server_defaults() { # $NODE being tested or if it has the same subject # (CN and SAN) as other certificates for this host. compare_server_name_to_cert "$NODE" "$HOSTCERT" - success[n]=$? + [[ $? -ne 0 ]] && success[n]=0 || success[n]=1 if [[ ${success[n]} -ne 0 ]]; then - cn_nosni="$(get_cn_from_cert $HOSTCERT)" - sans_nosni=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | grep "DNS:" | \ - sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername://g') + cn_nosni="$(toupper "$(get_cn_from_cert $HOSTCERT)")" + sans_nosni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ + tr ',' '\n' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")" echo "${previous_hostcert[1]}" > $HOSTCERT - cn_sni="$(get_cn_from_cert $HOSTCERT)" - + cn_sni="$(toupper "$(get_cn_from_cert $HOSTCERT)")" + # FIXME: Not sure what the matching rule should be. At # the moment, the no SNI certificate is considered a # match if the CNs are the same and the SANs (if # present) contain at least one DNS name in common. if [[ "$cn_nosni" == "$cn_sni" ]]; then - sans_sni=$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | grep "DNS:" | \ - sed -e 's/DNS://g' -e 's/ //g' -e 's/,/ /g' -e 's/othername://g') + sans_sni="$(toupper "$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A2 "Subject Alternative Name" | \ + tr ',' '\n' | grep "DNS:" | sed -e 's/DNS://g' -e 's/ //g' | tr '\n' ' ')")" if [[ "$sans_nosni" == "$sans_sni" ]]; then success[n]=0 else From 59002c1088e06287afd4fbbde5b2fa5c66540bd5 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 22 Jul 2016 11:57:16 -0400 Subject: [PATCH 04/11] Update JSON id for chain-of-trust --- t/01_badssl.com.t | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/t/01_badssl.com.t b/t/01_badssl.com.t index 0c9cb3c..0812d34 100755 --- a/t/01_badssl.com.t +++ b/t/01_badssl.com.t @@ -53,7 +53,7 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++; like($out, qr/Chain of trust.*?NOT ok.*\(self signed\)/,"Chain of trust should fail because of self signed"); $tests++; $found = 0; foreach my $f ( @$json ) { - if ( $f->{id} eq "trust" ) { + if ( $f->{id} eq "chain_of_trust" ) { $found = 1; like($f->{finding},qr/^All certificate trust checks failed/,"Finding says certificate cannot be trusted."); $tests++; is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; @@ -65,7 +65,7 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++; like($okout, qr/Chain of trust[^\n]*?Ok/,"Chain of trust should be ok"); $tests++; $found = 0; foreach my $f ( @$okjson ) { - if ( $f->{id} eq "trust" ) { + if ( $f->{id} eq "chain_of_trust" ) { $found = 1; is($f->{finding},"All certificate trust checks passed.","Finding says certificate can be trusted."); $tests++; is($f->{severity}, "OK", "Severity should be OK"); $tests++; @@ -97,7 +97,7 @@ like($out, qr/Chain of trust.*?NOT ok\s+\(chain incomplete\)/,"Chain of trust sh $json = json('tmp.json'); $found = 0; foreach my $f ( @$json ) { - if ( $f->{id} eq "trust" ) { + if ( $f->{id} eq "chain_of_trust" ) { $found = 1; like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; @@ -115,7 +115,7 @@ is($found,1,"We had a finding for this in the JSON output"); $tests++; #$json = json('tmp.json'); #$found = 0; #foreach my $f ( @$json ) { -# if ( $f->{id} eq "trust" ) { +# if ( $f->{id} eq "chain_of_trust" ) { # $found = 1; # like($f->{finding},qr/^All certificate trust checks failed.*incomplete/,"Finding says certificate cannot be trusted."); $tests++; # is($f->{severity}, "NOT ok", "Severity should be NOT ok"); $tests++; @@ -132,4 +132,4 @@ sub json($) { $file = `cat $file`; unlink $file; return from_json($file); -} \ No newline at end of file +} From ae386700673f2e47b5cc70a7ee15055f65b5f173 Mon Sep 17 00:00:00 2001 From: David Cooper Date: Fri, 22 Jul 2016 12:06:52 -0400 Subject: [PATCH 05/11] Fix check for self-signed certificate The check for whether a certificate is self-signed was using the undefined variable $CN rather than $cn. --- testssl.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testssl.sh b/testssl.sh index a857644..989709a 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4151,7 +4151,7 @@ certificate_info() { issuer_C="$(awk -F'=' '/ C=/ { print $2 }' <<< "$issuer")" issuer_DC="$(awk -F'=' '/DC=/ { print $2 }' <<< "$issuer")" - if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$CN" ]]; then + if [[ "$issuer_O" == "issuer=" ]] || [[ "$issuer_O" == "issuer= " ]] || [[ "$issuer_CN" == "$cn" ]]; then pr_svrty_criticalln "self-signed (NOT ok)" fileout "${json_prefix}issuer" "NOT ok" "Issuer: selfsigned (NOT ok)" else From 1a099d35b7da8f97d991a02f7fb6fd6284f5c0b3 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 23 Jul 2016 11:17:49 +0200 Subject: [PATCH 06/11] - minor polishing #419 --- testssl.sh | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index bd65d84..0dcbf63 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4234,7 +4234,7 @@ certificate_info() { fileout "${json_prefix}issuer" "INFO" "Issuer: $issuerfinding" fi - out "$indent"; pr_bold " Trust " + out "$indent"; pr_bold " Trust (hostname) " compare_server_name_to_cert "$NODE" "$HOSTCERT" trust_sni=$? @@ -4249,7 +4249,7 @@ certificate_info() { has_dns_sans=true || has_dns_sans=false case $trust_sni in - 0) trustfinding="certificate does not match URI" ;; + 0) trustfinding="certificate does not match supplied URI" ;; 1) trustfinding="Ok via SAN" ;; 2) trustfinding="Ok via SAN wildcard" ;; 4) if $has_dns_sans; then @@ -4276,11 +4276,11 @@ certificate_info() { if [[ $trust_sni -eq 0 ]]; then pr_svrty_medium "$trustfinding" trust_sni="fail" - elif $has_dns_sans && ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then + elif "$has_dns_sans" && ( [[ $trust_sni -eq 4 ]] || [[ $trust_sni -eq 8 ]] ); then pr_svrty_medium "$trustfinding" trust_sni="warn" else - out "$trustfinding" + pr_done_good "$trustfinding" trust_sni="ok" fi @@ -4292,9 +4292,9 @@ certificate_info() { has_dns_sans=true || has_dns_sans=false fi - if $has_dns_sans && [[ $trust_nosni -eq 4 ]]; then + if "$has_dns_sans" && [[ $trust_nosni -eq 4 ]]; then trustfinding_nosni=" (w/o SNI: Ok via CN, but not SAN)" - elif $has_dns_sans && [[ $trust_nosni -eq 8 ]]; then + elif "$has_dns_sans" && [[ $trust_nosni -eq 8 ]]; then trustfinding_nosni=" (w/o SNI: Ok via CN wildcard, but not SAN)" elif [[ $trust_nosni -eq 0 ]] && ( [[ "$trust_sni" == "ok" ]] || [[ "$trust_sni" == "warn" ]] ); then trustfinding_nosni=" (SNI mandatory)" @@ -4304,9 +4304,8 @@ certificate_info() { trustfinding_nosni=" (however, works w/o SNI)" else trustfinding_nosni="" - outln fi - if $has_dns_sans && ( [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] ); then + if "$has_dns_sans" && ( [[ $trust_nosni -eq 4 ]] || [[ $trust_nosni -eq 8 ]] ); then pr_svrty_mediumln "$trustfinding_nosni" else outln "$trustfinding_nosni" @@ -8489,4 +8488,4 @@ fi exit $? -# $Id: testssl.sh,v 1.527 2016/07/20 15:36:50 dirkw Exp $ +# $Id: testssl.sh,v 1.528 2016/07/23 09:16:12 dirkw Exp $ From 3d588ddb20ed61602799ea94648a8bf19b83b270 Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 23 Jul 2016 14:52:26 +0200 Subject: [PATCH 07/11] change sequence of out output (trust checks together --- testssl.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/testssl.sh b/testssl.sh index dfc1c24..4234f19 100755 --- a/testssl.sh +++ b/testssl.sh @@ -4317,6 +4317,9 @@ certificate_info() { fileout "${json_prefix}trust" "WARN" "${trustfinding}${trustfinding_nosni}" fi + out "$indent"; pr_bold " Chain of trust"; out " " + determine_trust "$json_prefix" # Also handles fileout + # http://events.ccc.de/congress/2010/Fahrplan/attachments/1777_is-the-SSLiverse-a-safe-place.pdf, see page 40pp out "$indent"; pr_bold " EV cert"; out " (experimental) " # only the first one, seldom we have two @@ -4386,10 +4389,6 @@ certificate_info() { out "$indent"; pr_bold " # of certificates provided"; outln " $certificates_provided" fileout "${json_prefix}certcount" "INFO" "# of certificates provided : $certificates_provided" - - out "$indent"; pr_bold " Chain of trust"; out " (experim.) " - determine_trust "$json_prefix" # Also handles fileout - out "$indent"; pr_bold " Certificate Revocation List " crl="$($OPENSSL x509 -in $HOSTCERT -noout -text 2>>$ERRFILE | grep -A 4 "CRL Distribution" | grep URI | sed 's/^.*URI://')" if [[ -z "$crl" ]]; then @@ -8488,4 +8487,4 @@ fi exit $? -# $Id: testssl.sh,v 1.528 2016/07/23 09:16:12 dirkw Exp $ +# $Id: testssl.sh,v 1.530 2016/07/23 12:52:24 dirkw Exp $ From 541690b46e1dfa78362fda1368cd3c818ab5fd5d Mon Sep 17 00:00:00 2001 From: Dirk Date: Sat, 23 Jul 2016 15:12:13 +0200 Subject: [PATCH 08/11] - enabled+renamed tolerance test per default - quoted some bool vars for faster execution --- testssl.sh | 45 ++++++++++++++++++++------------------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/testssl.sh b/testssl.sh index afdf70a..7187daa 100755 --- a/testssl.sh +++ b/testssl.sh @@ -2016,7 +2016,7 @@ run_client_simulation() { local name tls proto cipher local using_sockets=true - if $SSL_NATIVE || [[ -n "$STARTTLS" ]]; then + if "$SSL_NATIVE" || [[ -n "$STARTTLS" ]]; then using_sockets=false fi @@ -2758,7 +2758,7 @@ run_client_simulation() { for name in "${short[@]}"; do #FIXME: printf formatting would look better, especially if we want a wide option here out " ${names[i]} " - if $using_sockets && [[ -n "${handshakebytes[i]}" ]]; then + if "$using_sockets" && [[ -n "${handshakebytes[i]}" ]]; then client_simulation_sockets "${handshakebytes[i]}" sclient_success=$? if [[ $sclient_success -eq 0 ]]; then @@ -2781,7 +2781,7 @@ run_client_simulation() { #FIXME: awk proto=$(grep -aw "Protocol" $TMPFILE | sed -e 's/^.*Protocol.*://' -e 's/ //g') [[ "$proto" == TLSv1 ]] && proto="TLSv1.0" - if [[ "$proto" == TLSv1.2 ]] && ( ! $using_sockets || [[ -z "${handshakebytes[i]}" ]] ); then + if [[ "$proto" == TLSv1.2 ]] && ( ! "$using_sockets" || [[ -z "${handshakebytes[i]}" ]] ); then # OpenSSL reports TLS1.2 even if the connection is TLS1.1 or TLS1.0. Need to figure out which one it is... for tls in ${tlsvers[i]}; do $OPENSSL s_client $tls -cipher ${ciphers[i]} ${protos[i]} $STARTTLS $BUGS $PROXY -connect $NODEIP:$PORT ${sni[i]} $TMPFILE 2>$ERRFILE @@ -2807,7 +2807,7 @@ run_client_simulation() { fi #FiXME: awk cipher=$(grep -wa Cipher $TMPFILE | egrep -avw "New|is" | sed -e 's/ //g' -e 's/^Cipher://') - $using_sockets && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")" + "$using_sockets" && [[ -n "${handshakebytes[i]}" ]] && [[ -n "$MAPPING_FILE_RFC" ]] && cipher="$(rfc2openssl "$cipher")" outln "$proto $cipher" if [[ -n "${warning[i]}" ]]; then out " " @@ -2893,11 +2893,11 @@ run_protocols() { local supported_no_ciph2="supported but couldn't detect a cipher" local latest_supported="" # version.major and version.minor of highest version supported by the server. local detected_version_string latest_supported_string - local extra_spaces="" + local extra_spaces=" " outln; pr_headline " Testing protocols " - if $SSL_NATIVE; then + if "$SSL_NATIVE"; then using_sockets=false pr_headlineln "(via native openssl)" else @@ -2906,9 +2906,8 @@ run_protocols() { using_sockets=false else using_sockets=true - if $EXPERIMENTAL; then + if "$EXPERIMENTAL"; then pr_headlineln "(via sockets except SPDY+HTTP2) " - extra_spaces=" " else pr_headlineln "(via sockets except TLS 1.2, SPDY+HTTP2) " fi @@ -2917,7 +2916,7 @@ run_protocols() { outln pr_bold " SSLv2 $extra_spaces"; - if ! $SSL_NATIVE; then + if ! "$SSL_NATIVE"; then sslv2_sockets #FIXME: messages/output need to be moved to this (higher) level else run_prototest_openssl "-ssl2" @@ -2943,7 +2942,7 @@ run_protocols() { fi pr_bold " SSLv3 $extra_spaces"; - if $using_sockets; then + if "$using_sockets"; then tls_sockets "00" "$TLS_CIPHER" else run_prototest_openssl "-ssl3" @@ -2982,7 +2981,7 @@ run_protocols() { esac pr_bold " TLS 1 $extra_spaces"; - if $using_sockets; then + if "$using_sockets"; then tls_sockets "01" "$TLS_CIPHER" else run_prototest_openssl "-tls1" @@ -2997,7 +2996,7 @@ run_protocols() { ;; # nothing wrong with it -- per se 1) out "not offered" - if ! $using_sockets || [[ -z $latest_supported ]]; then + if ! "$using_sockets" || [[ -z $latest_supported ]]; then outln fileout "tls1" "INFO" "TLSv1.0 is not offered" # neither good or bad else @@ -3031,7 +3030,7 @@ run_protocols() { esac pr_bold " TLS 1.1 $extra_spaces"; - if $using_sockets; then + if "$using_sockets"; then tls_sockets "02" "$TLS_CIPHER" else run_prototest_openssl "-tls1_1" @@ -3046,7 +3045,7 @@ run_protocols() { ;; # nothing wrong with it 1) out "not offered" - if ! $using_sockets || [[ -z $latest_supported ]]; then + if ! "$using_sockets" || [[ -z $latest_supported ]]; then outln fileout "tls1_1" "INFO" "TLSv1.1 is not offered" # neither good or bad else @@ -3083,7 +3082,7 @@ run_protocols() { esac pr_bold " TLS 1.2 $extra_spaces"; - if $using_sockets && $EXPERIMENTAL; then #TODO: IIS servers do have a problem here with our handshake + if "$using_sockets" && "$EXPERIMENTAL"; then #TODO: IIS servers do have a problem here with our handshake tls_sockets "03" "$TLS12_CIPHER" else run_prototest_openssl "-tls1_2" @@ -3098,7 +3097,7 @@ run_protocols() { ;; # GCM cipher in TLS 1.2: very good! 1) pr_svrty_mediumln "not offered" - if ! $using_sockets || ! $EXPERIMENTAL || [[ -z $latest_supported ]]; then + if ! "$using_sockets" || ! "$EXPERIMENTAL" || [[ -z $latest_supported ]]; then outln fileout "tls1_2" "MEDIUM" "TLSv1.2 is not offered" # no GCM, penalty else @@ -3143,8 +3142,8 @@ run_protocols() { # If a TLS server receives a ClientHello containing a version number # greater than the highest version supported by the server, it MUST # reply according to the highest version supported by the server. - if [[ -n $latest_supported ]] && $using_sockets && $EXPERIMENTAL; then - pr_bold " Version Negotiation "; + if [[ -n $latest_supported ]] && "$using_sockets"; then + pr_bold " Version tolerance " tls_sockets "05" "$TLS12_CIPHER" case $? in 0) @@ -4971,9 +4970,7 @@ http2_pre(){ run_spdy() { local tmpstr local -i ret=0 - extra_spaces="" - - ! $SSL_NATIVE && [[ -z "$STARTTLS" ]] && $EXPERIMENTAL && extra_spaces=" " + local extra_spaces=" " pr_bold " SPDY/NPN $extra_spaces" if ! spdy_pre ; then @@ -5012,9 +5009,7 @@ run_http2() { local -i ret=0 local had_alpn_proto=false local alpn_finding="" - extra_spaces="" - - ! $SSL_NATIVE && [[ -z "$STARTTLS" ]] && $EXPERIMENTAL && extra_spaces=" " + local extra_spaces=" " pr_bold " HTTP2/ALPN $extra_spaces" if ! http2_pre ; then @@ -8613,4 +8608,4 @@ fi exit $? -# $Id: testssl.sh,v 1.530 2016/07/23 12:52:24 dirkw Exp $ +# $Id: testssl.sh,v 1.531 2016/07/23 13:12:12 dirkw Exp $ From 5d7367a68dfc179a099c4ca1076716dbab489054 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 25 Jul 2016 09:47:24 +0200 Subject: [PATCH 09/11] Shell script to generate ca_hashes.txt (OSX only) --- .gitignore | 2 + etc/ca_hashes.txt | 938 +++++++++--------------------------- t/10_ca_hashes_up_to_date.t | 9 + utils/create_ca_hashes.sh | 48 ++ 4 files changed, 298 insertions(+), 699 deletions(-) create mode 100755 t/10_ca_hashes_up_to_date.t create mode 100755 utils/create_ca_hashes.sh diff --git a/.gitignore b/.gitignore index e43b0f9..adad0cf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ .DS_Store +tmp.json +*.bak diff --git a/etc/ca_hashes.txt b/etc/ca_hashes.txt index f83c68f..80c1d4d 100644 --- a/etc/ca_hashes.txt +++ b/etc/ca_hashes.txt @@ -1,716 +1,256 @@ -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 -DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 -80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA -0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 -0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III -ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA -4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root +OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA -7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root -8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 -Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority ++sld48JKF0GUgAz/qjylHXEWYwZkqbYMh1i07w3Fj4g= A-Trust-nQual-03 +/1aAzXOlcD2gSBegdf1GJQanNQbEuBoVg+9UlHjSZHY= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority +/PfamDYD6IhiAw2WE32OEwMbrftNVsH9TKzDOfa9uyo= America Online Root Certification Authority 2 /qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= -Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 -B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado -MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority -x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 -DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 -80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 +0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III -ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +1qGEQ9NI25lPk0zNjmNdgzonrB5W+K+vfJfLT0Pqtos= Certification Authority of WoSign +28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= /C=RO/O=certSIGN/OU=certSIGN ROOT CA +2Psz44XJwtpymoRwa6kn3Lt5Jz4SL/2WczY7cLfzbLs= Root CA Generalitat Valenciana +2xXABitSDzGKGdrP7NZPnno/vmCf1YZ5byCuAo6OMFg= CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6 +31MLrJ/NkUwlLC+9zt3GGD1K6MaArWXwPiBIYd17HHM= Microsoft Root Certificate Authority +3V7RwJD59EgGG6qUprsRAXVE6e76ogzHFM5sYz9dxik= CFCA EV ROOT 4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +58qRu/uxh4gFezqAcERupSkRYBlBAvfcw7mEjGPLnNU= COMODO ECC Certification Authority +5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority +5co3vHtsNhl5vGsSPKmh2wGQRtf/X1ffuFSxnRCwaC8= Atos TrustedRoot 2011 +60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA 60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root -+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA 7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root -8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 -Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority -/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= -Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 -B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado -MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority -x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 -DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA -0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 -0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III -ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA -4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root -+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA -7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root 8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 -Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority -/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= -Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 +96/0GycJ8XX4q6F+VnsnBGst1Uv25+Jj0ylYc0N7nP8= A-Trust-Qual-03 +9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 +9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) F\xC5\x91tan\xC3\xBAs\xC3\xADtv\xC3\xA1ny +9TwiBZgX3Zb0AGUWOdL4V+IQcKWavtkHlADZ9pVQaQA= Thawte Premium Server CA +9YV9iGK8K6PJ3co/hBRtyNgfTVedKzh79gBlOB7mQd0= Class 3P Primary CA +9zvl66U2kSxVf7hVUXrR7gSHvY9jSYw5SRZBd7oGxd4= I.CA - Standard root certificate +AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority +AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA +AjdtCQisIwQcx9Zm2drxklVPf8NjF6qcuACQhhayivg= Microsoft Root Certificate Authority 2011 +AjyBzOjnxk+pQtPBUEhwfTXZu1uH9PVExb8bxWQ68vo= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado -MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority -x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium -vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services -ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA -hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 -j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 -SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority +BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root +BVcK5usPzrQhDm23lIa3CUyvIAQB4Um2Z3RBtfJeRJs= ACCVRAIZ1 +Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 +Blb1lVIEyNK8ixykdeKk+m4STRJFEnhBV8hYtVRxFBo= http: +CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign +CT23Z4iPaxMnVV29Qrtck/7exQRMeoS8bqMqV4wiNcA= http: +D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object DHrKpxAiZyC7yUA0nuLmFIZSqJ2/QGojLIlfbceOu5o= QuoVadis Root CA 3 -80OOI7POUyUi+s8weSP1j9GGCOm6et3DDpUrQ8SWFsM= QuoVadis Root CA 3 G3 -vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority -tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= -RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services -JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA -MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC -dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA -ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= -KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= -M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= -qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA -0qXzLw4BuRDvTjtGv4Tlr1+1aJ59FQfpKeNorIjGzHY= Sonera Class2 CA -lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA -Bed+8f3+BeLcpSLK5k2DeaBBt7TxbHyuNgZ6f3KhSHI= Staat der Nederlanden Root CA - G2 -QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 -FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= -hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA -gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 -KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU= StartCom Certification Authority -FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 -NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 -y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 -9GPFTZ8aBHrtUmVqx4Xgfr7FKOAge/0/VdiTI3Zo9q4= Swisscom Root EV CA 2 -QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 -fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root CA -KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 -ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 -kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 -hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 -MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 -0vkaBOOmHU6teEjI1DteEVLYhXJ0ibxlc4tnwKInhac= Symantec Class 1 Public Primary Certification Authority - G6 -MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 -ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 -gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 -lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 -Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 -vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA -YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 -jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 -rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II -k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II -a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II -st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I -qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II -q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +EASNAtrRvSDsXdZoz1gbc5Yc6O6YL+vHiUZu/Uj37HM= avast! Web +EGn6R6CqT4z3ERscrqNl7q7RC//zJmDe9uBhS/rnCHU= GTE CyberTrust Global Root ELo0hcqLtogKuVMaQGPkABVVVhx/LgVRZfSbLXT8X2s= TeliaSonera Root CA v1 -myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 -HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA -Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 -GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 -R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA -4tiR77c4ZpEF1TDeXtcuKyrD9KZweLU0mz/ayklvXrg= Trusted Certificate Services -qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= -FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 -0Hc622AEPpVDCdlxT+BT6q2KpblYbtukaOJ234IGWt8= TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı -xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA -ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority -60mT76mwieWTQYqok/jpOnN02BDlL8vgHn8dfpKm0CQ= Apple Root Certificate Authority -zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root -qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root -QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC -Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email -TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware -gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications -D+FMJksXu28NZT56cOs2Pb9UvhWAOe3a5cJXEd9IwQM= UTN-USERFirst-Object -IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 -cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 -SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 -xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= -UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 -JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 -VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 -lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority -puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root -LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA -AGyyJqdyxxgtd3I4Pjc/DyKeff40RIEKjW5QkF0g1mE= VRK Gov. Root CA -qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority -BRz5+pXkDpuD7a7aaWH2Fox4ecRmAXJHnN1RqwPOpis= XRamp Global Certification Authority -bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= -cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root -Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 -JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA -ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano -Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root -+OX5BbyTmREme4PVCBSpAyO1Hhg2KdtS1PwtVGilpXg= Belgium Root CA2 -tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 -WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA -sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA -S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig -a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 -cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 -UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna -BStocQfshOhzA4JFLsKidFF0XXSFpX1vRk4Np6G2ryo= AddTrust Class 1 CA Root -NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorité Racine -axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA -28HjoVI4oEg7zbj97GFuA+cFpI4qUBFXyt87nHMRxeU= -lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA -qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA -aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 -iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root -ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 -jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 -dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA -lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root -mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy -AG1751Vd2CAmRCxPGieoDomhmJy4ezREjtIZTBgZbV4= COMODO Certification Authority -aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA -wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA -zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA -7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E= D-TRUST Root Class 3 CA 2 2009 -/zQvtsTIvTCkcG9zSJU58Z5uSMwF9GJUZU9mENvFQOk= D-TRUST Root Class 3 CA 2 EV 2009 -0d4q5hyN8vpiOWYWPUxz1GC/xCjldYW+a/65pWMj0bY= Deutsche Telekom Root CA 2 -gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority -I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA -OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root -8ca6Zwz8iOTfUpc8rkIPCgid1HQUT+WAbEIAZOFZEik= DigiCert Assured ID Root G2 +F3VaXClfPS1y5vAxofB/QAxYi55YKyLxfq4xoVkNEYU= GeoTrust Global CA 2 +FJ8u5juaXlgDJAp3DcmR/C40ReYoMcJFpJvE8fc4/5w= OISTE WISeKey Global Root GB CA +FSg5faISiQqDCwuVpZlozvI0dzd531GBzxD6ZHU0u2U= StartCom Certification Authority G2 +Fbso2SB+E/i8lVfdeF66dzvqlE4E1+CP+KpV7zGUqiA= KEYNECTIS ROOT CA Fe7TOVlLME+M+Ee0dzcdjW/sYfTbKwGvWJ58U7Ncrkw= DigiCert Assured ID Root G3 -r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA -i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 -uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 -WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA -Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 -itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 -PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 -Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 -xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root -mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 -wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority -NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sağlayıcısı -MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 -VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA -bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority -/qK31kX7pz11PB7Jp4cMQOH3sMVh6Se5hb9xGGbjbyI= Entrust Root Certification Authority - EC1 -du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) -P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA -YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= -jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA -h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA -SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority -vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 -q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 -Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root -knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 -cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign -CLOmM1/OXvSPjw5UOYbAf9GKOxImEp9hhku9W90fHMk= GlobalSign -bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial -fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign -iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign -K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA -VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= -Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 -pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= +FefnF7Qo/u4686/ZFQ261JcAjTo/8BaWRxmQe9sBpkU= T\xC3\x9CB\xC4\xB0TAK UEKAE K\xC3\xB6k Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 3 +FfFKxFycfaIz00eRZOgTf+Ne4POK6FgYPwhBDqgqxLQ= /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority +FtgtZ6Htjon5q1j30P0+sNABdof8ruzUBHXxAIOltZM= SecureSign RootCA1 +G4qJUxcBYIye88ZfXWCpSLG625dTYiougcCkooS+Y8w= CA DATEV STD 01 +GQbGEk27Q4V40A4GbVBUxsN/D6YCjAVUXgmU7drshik= thawte Primary Root CA - G3 +Ga2Y3gIVXX4z6d0h8ORWEP0R0oBEuDGLvr+fYzeIjfA= CA DATEV BT 01 Gno6GmjdI2Hj87uFXzsm/NiLGX2N1N4Gzxs2KsiewTs= Hellenic Academic and Research Institutions RootCA 2011 -NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 -olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09/2009 -B+hU8mp8vTiZJ6oEG/7xts0h3RQ4GK2UfcZVqeWH/og= IdenTrust Commercial Root CA 1 -lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking -WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +H0IkzshPyZztiB/2/P0+IfjFGcVHqmpd094kcwLOUNE= CNNIC ROOT +HXXQgxueCIU5TTLHob/bPbwcKOKw6DkfsTWYHbxbqTY= thawte Primary Root CA +HqPF5D7WbC2imDpCpKebHpBnhs6fG1hiFBmgBGOofTg= Entrust.net Certification Authority (2048) +I/Lt/z7ekCWanjD0Cvj5EqXls2lOaThEA0H2Bg4BT/o= DigiCert Assured ID Root CA +I4SdCUkj1EpIgbY6sYXpvhWqyO8sMETZNLx/JuLSzWk= America Online Root Certification Authority 1 +ICGRfpgmOUXIWcQ/HXPLQTkFPEFPoDyjvH7ohhQpjzs= USERTrust ECC Certification Authority +IgUKkoNkgcLzwfhBfTdEehZwB6ybpk6iKMtqHhTGS4s= I.CA - Qualified root certificate +IgduWu9Eu5pBaii30cRDItcFn2D+/6XK9sW+hEeJEwM= VeriSign Class 1 Public Primary Certification Authority - G3 +JZaQTcTWma4gws703OR/KFk313RkrDcHRvUt6na6DCg= Secure Global CA +JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg= VeriSign Class 3 Public Primary Certification Authority - G5 +JdSRPPWHCXQU0p0m9sGxlCzW1k6vRdD8+BUmrbqW0yQ= Actalis Authentication Root CA +JsGNxu6m9jL2drzrodjCtINS8pwtX82oeOCdy4Mt1uU= Equifax Secure eBusiness CA-1 +K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= GlobalSign Root CA KJa03b5hRXGDzH7Se9eKxQogf2kBxcUuU9wWdvm7HgY= Izenpe.com -lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com -y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK -x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 -YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 -9Iut199qBmkNCuMTc7EoVfje2xRRfzYqMTEBzJjMazU= NetLock Arany (Class Gold) Főtanúsítvány -pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +KikzfD1iJMxT8LteXVggwNiEiwSHEyjwkP7jzWv4IbQ= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +KkISYFqj6K7LD8GYBs87QLU7lfGjTbvW4+0nIwMkq7M= /C=JP/O=SECOM Trust.net/OU=Security Communication RootCA1 +Ko8tivDrEjiY90yGasP6ZpBU4jwXvHqVvQI0GS3GNdA= Go Daddy Root Certificate Authority - G2 +KovtMq5oDS0Ye5p6/Rcdg/0Lk16vniwbQ+gCeNIGPjk= SwissSign Platinum CA - G2 +KwccWaCgrnaw6tsrrSO61FgLacNgG2MMLq8GE6+oP5I= Starfield Services Root Certificate Authority - G2 +Laj56jRU0hFGRko/nQKNxMf7tXscUsc8KwVyovWZotM= UTN-USERFirst-Client Authentication and Email +LgCRWp974GqyNwx7fCAMCpbVrGpQzhh02+/eQCLU3o4= Visa Information Delivery Root CA +M4BwmvOwlr48wqQFSBQsClIAKNsJ4st3riIGYWq2y7Q= /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 +MCeimPpXMU3A490QGUEbj0BMQ8P5NM4734VlEsgKoVw= Symantec Class 2 Public Primary Certification Authority - G4 +MJ8T1J6mb1IyQbVVJHREZOKMwbgu95tk5NWBiA3Ndx8= Echoworx Root CA2 +MVEmgCM/XyofKUN/VtSYjPCvxBzGxdpidZKOnAvq3ic= Symantec Class 1 Public Primary Certification Authority - G4 +Md4MsZ8q27DRzXsbMe+O4+tZt0RZrvlLSAvu7rhcZMk= http: +MhmwkRT/SVo+tusAwu/qs0ACrl8KVsdnnqCHo/oDfk8= AffirmTrust Premium ECC MtGA7THJNVieydu7ciEjuIO1/C3BD5/KOpXXfhv8tTQ= Network Solutions Certificate Authority +NJn5P9OUUjv7HsTDrU37MQEx++nuVHa95ild6AjV3Y8= Swisscom Root CA 1 +NVHeWKfXnNmAKD34F5DWOpgsGmOzBILsWCHbdmFVTvk= EBG Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +NsIjFBMaX78bcOpMz0vBOnd9k47GXh2iTjws/QHT0WM= Hongkong Post Root CA 1 +NuzGH8fl8ZI9Fn5n3940YIVJs0pjx8bmD/1cGEA4H1w= Certinomis - Autorit\xC3\xA9 Racine +O0WRggXFkSmKGSKli0kh0B9kj6nSi93frSSu7FlCz78= /C=ES/O=FNMT/OU=FNMT Clase 2 CA +OBo/x6iwgvooYTpNB/LHVT9OGRjuB8qp6LfO3lqcoGo= Certification Authority of WoSign G2 +OGHXtpYfzbISBFb/b8LrdwSxp0G0vZM6g3b14ZFcppg= AddTrust Public CA Root +OoA+fApDop/XNnLj0LssNlPZSO3gs8sdtM51qFfomvE= Buypass Class 3 CA 1 +Ow1ztL5KhUrcPlHX75+kiu+7LN2CTWe9x9fQmiq8LUM= Autoridad de Certificacion Firmaprofesional CIF A62634068 +P6t4T8PJq57twS7NwNtVD0w9v9PobXiBUzPF66UYy50= Admin-Root-CA +PDXhZL7dLPEr64Ps/3i16A2oFY0oMCF+Tr/86JKImaY= DST ACES CA X6 +QAL80xHQczFWfnG82XHkYEjI3OjRZZcRdTs9qiommvo= UTN - DATACorp SGC +QPz8KIddzL/ry99s10MzEtpjxO/PO9extQXCICCuAnQ= SwissSign Gold CA - G2 +QiOJQAOogcXfa6sWPbI1wiGhjVS/dZlFgg5nDaguPzk= Staat der Nederlanden Root CA - G3 +R8ehScqC+nupQKTXEdAQYlxssLdIsXAWxG4lznrNKww= TRUST2408 OCES Primary CA +RGLBB8SF3WpUQ/XnoWBEFgNKN0w/TRCHXxw3FQJ1Y68= Microsoft Root Authority +RK+K/PE5XSqOMO+BLOGc6y6JSN/SHgD7qjRon5okch8= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 +RpHL/ehKa2BS3b4VK7DCFq4lqG5XR4E9vA8UfzOFcL4= Secure Certificate Services +S3Lf7T7cy19JRWguKVcxoIZKxrW4Wxk+zS8GtJAMHP0= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H5 +S9xjb0jSH7aMWjzUogaFeIBDvbUk5+hNQZLEUe40KbU= CA Disig +SQVGZiOrQXi+kqxcvWWE96HhfydlLVqFr4lQTqI5qqo= GeoTrust Primary Certification Authority +SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4= VeriSign Class 3 Public Primary Certification Authority - G3 +SiZZZm3AIDuRb1PYCtj2GsML6hYfSFzHUn5qWTfkkhY= T\xC3\x9CRKTRUST Elektronik Sertifika Hizmet Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 H6 +SkntvS+PgjC9VZKzE1c/4cFypF+pgBHMHt27Nq3j/OU= QuoVadis Root CA 2 G3 +TUDnr0MEoJ3of7+YliBMBVFB4/gJsv5zO7IxD9+YoWI= UTN-USERFirst-Hardware +Tq2ptTEecYGZ2Y6oK5UAXLqTGYqx+X78vo3GIBYo+K8= Global Chambersign Root +UQ0g5cR/Y89mayD2GvYrwJmkKsgk/6RDotp8kLGAipE= Certigna +UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4= VeriSign Class 3 Public Primary Certification Authority - G4 +VhdNOtlxqJRJZLGJgR8wCEk6apBCLjxYBOyDjU+U9iI= EE Certification Centre Root CA +VjLZe/p3W/PJnd6lL8JVNBCGQBZynFLdZSTIqcO0SJ8= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority +Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= DST Root CA X3 +VnuCEf0g09KD7gzXzgZyy52ZvFtIeljJ1U7Gf3fUqPU= VeriSign Class 4 Public Primary Certification Authority - G3 +WN1h/rNup9JYckNxcJFJyxITN4ZMrLLQmZrSBznQZHc= IdenTrust Public Sector Root CA 1 +WVWuKRV0qTE0LPdFDhZlLt4eD7MJfhVx36wRyRVgFWQ= Buypass Class 2 Root CA +Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw= DigiCert Trusted Root G4 +WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18= DigiCert High Assurance EV Root CA +Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o= Baltimore CyberTrust Root +YQbA46CimYMYdRJ719PMGFmAPVEcrBHrbghA3RZvwQ4= T-TeleSec GlobalRoot Class 2 +YWFnIBQzrqbI5eMHCvyvZ0kYj4FL0auxea6NrTq/Juw= Microsec e-Szigno Root CA 2009 +YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U= /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority +Yo46EVb2+qkvlLQJJY1Muj8gR0gNMBlPrz++0F6utbI= e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi +Z+oZMkOuODk5ta2eNWprK/k6k7zc+CikcIJJeIMIP4Y= Staat der Nederlanden Root CA +Z0A55HJWGWPIywDSGpepChi7ihxMMXrGfjgqZSu1c8A= Apple Root CA - G2 +Z9xPMvoQ59AaeaBzqgyeAhLsL/w9d54Kp/nA8OHCyJM= thawte Primary Root CA - G2 +ZUT/mttkLEw2mKYNgUO2uTvO8BNltUD2FNzCpFq5TTE= /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication EV RootCA1 +ZZyzaKxWmYvQevLK/F+5P455R0rMwqbPGsnyGS0TY2A= Autoridad de Certificacion Raiz del Estado Venezolano +ZrAFOYJqN0hJMBkeAo9i2rHLyJs6zUctxOWQXke/c2Q= Macao Post eSignTrust Root Certification Authority (G02) +a4belqZYpWggpPNdkNtsPv3VdM6UuQnLDX/xfDwYnYM= TC TrustCenter Class 4 CA II +a8/IbI3cKvLmoRgKLdq7N7fqN1Uxa2S5uJUb8Mo1HwY= CA Disig Root R1 +aMNpIhRyTUtVp2D0cLT8qLXg/h1ynP8i/rTKiKzTmAk= ComSign CA +akNrWNnYMOjVuKZCUFrWtBQGrc1olNlBT3vgoUZ7rbc= CA DATEV STD 02 +axpQXgJG8vYMSQ/wwJenvichDLt1ACN/iLDNSCmLybg= Certinomis - Root CA +aztX6eyI0bs9AWN/8zx2mLPJdYJV6fAeqRePPn87K1I= Certum Trusted Network CA 2 +bEZLmlsjOl6HTadlwm8EUBDS3c/0V5TwtMfkqvpQFJU= AffirmTrust Commercial +bb+uANN7nNc/j7R95lkXrwDg3d9C286sIMF8AnXuIJU= Entrust Root Certification Authority +bz4Hf+VQRkbAGRr85JTk62gYPjmPWk3AVmn4tubmgv4= /C=JP/O=Japanese Government/OU=ApplicationCA +cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM= VeriSign Class 2 Public Primary Certification Authority - G3 +cCEWzNi/I+FkZvDg26DtaiOanBzWqPWmazmvNZUCA4U= CA Disig Root R2 +cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A= GlobalSign +cZz1s2GS573mUMyRNB5vZJ27jD7ki6yql/oOBbY3S0E= ApplicationCA2 Root +du6FkDdMcVQ3u8prumAo6t3i3G27uMP2EOhR8R0at/U= Entrust Root Certification Authority - G2 +dy/Myn0WRtYGKBNP8ubn9boJWJi+WWmLzp0V+W9pqfM= Class 2 Primary CA +dykHF2FLJfEpZOvbOLX4PKrcD2w2sHd/iA/G3uHTOcw= SecureTrust CA +egUvWN1fX0JTrxfoxOkAplWFMtYlqYpuGmCYxVCv5UI= Cybertrust Public SureServer SV CA +eu3d82sY+Ky3N5/hzhgyErI1DQeIq+DoJFe+m62tbVQ= CA WoSign ECC Root +fDtG2b6PJ0H5gAOVIYWOTN0wd0+zKzshzuoGqnnGqsY= SecureSign RootCA2 +fKoDRlEkWQxgHlZ+UhSOlSwM/+iQAFMP4NlbbVDqrkE= GeoTrust Universal CA 2 +fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8= GlobalSign +foeCwVDOOVL4AuY2AjpdPpW7XWjjPoWtsroXgSXOvxU= Cybertrust Global Root +fx3siwMZVIoFbeW7UhvZPrdOanbyjf+3W0WlO3da96s= SwissSign Gold Root CA - G3 +gI1os/q0iEpflxrOfRBVDXqVoWN3Tz7Dav/7IT++THQ= Starfield Root Certificate Authority - G2 +gJ8rquNa+082vWR2znXCABB3kBtq9cTauC4YjGuVwaE= Symantec Class 3 Public Primary Certification Authority - G4 +gNv7l73Tkmuu5B9zxViPqhfXB7A630kHorxnfz7xcXw= Developer ID Certification Authority +gamPx4jDX1V2RalSJOUM0drI/7IJ3B5WiKopIF8TIhg= UTN-USERFirst-Network Applications +grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= COMODO RSA Certification Authority +h6801m+z8v3zbgkRHpq6L29Esgfzhj89C1SyUCOQmqU= GeoTrust Global CA +hKrAk+CMSdv/+OVgdZJI2+ZxNbNysj0qiB1fmcuxkeg= SwissSign Silver Root CA - G3 +hdJr6Q2TT8zbT/ezjYx5ynZSuBbWpSRGyoQoprhdxXw= ANF Global Root CA +hqaPBQA0EmpUDTnbLF+RfvZqlPuWGfoezYJ86ka6DLA= QuoVadis Root CA 1 G3 +hsE6NAjdGqd+6LaUfAOVh3L1MSSMFie++yxPSwTQRJY= IGC +i+p269YTev+fHsw8CMrx3sR9uRaQ1XVMTp8VIywKLng= CA DATEV INT 01 +i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY= DigiCert Global Root G2 +iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0= GlobalSign +iir/vRocXRvcy7f1SLqZX5ZoBrP9DDoA+uLlLzyFOYk= Chambers of Commerce Root +ipA7YAoICzjf4g37as0jEi9kYg5YCLn8hoiVL8GjVZw= SwissSign Platinum Root CA - G3 +itsjhVSgy/w6Ef7MGD480sI9JeeJTPK7rljrcKROfPM= DoD Root CA 2 +j9ESw8g3DxR9XM06fYZeuN1UB4O6xp/GAIjjdD/zM3g= QuoVadis Root CA 2 +jXZ3ZLPL2giSnQcqIqVh9NzdG8V9PL3clIxH0rR/kSI= T-TeleSec GlobalRoot Class 3 +jotW9ZGKJb2F3OdmY/2UzCNpDxDqlYZhMXHG+DeIkNU= Federal Common Policy CA +jtW0wEG2spPA5kEwFQZtMYSDyQH/aehqUh0MslVp8+g= Cisco Root CA 2048 +k5KuIUmSSt435kXbof9L3dzaKykbYJdmnSr6XHo3Jhk= TC TrustCenter Class 3 CA II +kRni9BNXl3eVSZFwPu4joEUjoxK1xl9/k3SqMQDr2Oc= Class 3TS Primary CA +knobhWIoBXbQSMUDIa2kPYcD0tlSGhjCi4xGzGquTv0= Global Chambersign Root - 2008 +ksRoeWJu8swezqUMcvteOFhECV8hy/Oyg8uC5rn8alg= TWCA Root Certification Authority +kxgib4yDr+R/X0fCT1nOEtuoxzsYG+5rLqH0Cga8GGk= SwissSign Silver CA - G2 +lAcq0/WPcPkwmOWl9sBMlscQvYSdgxhJGa6Q64kK5AA= AffirmTrust Networking +lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU= AddTrust External CA Root +lR7gRvqDMW5nhsCMRPE7TKLq0tJkTWMxQ5HAzHCIfQ0= Staat der Nederlanden EV Root CA +lSwgOcAkPrUV3XPYP8NkMYSHT+sIYqmDdzHtm0dC4Xo= Izenpe.com +lXNUc71no7lajV+QxaIazh4NeUcyBnTUq4R5crkVRNI= Symantec Class 3 Public Primary Certification Authority - G6 +lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI= VeriSign Universal Root Certification Authority +lpkiXF3lLlbN0y3y6W0c/qWqPKC7Us2JM8I7XCdEOCA= GeoTrust Universal CA +ly+8bVW/77Gr43WK19Z6NJu++AwG8dhQAd+5EBuavBs= CA DATEV INT 02 +lzasOyXRbEWkVBipZFeBVkgKjMQ0VB3cXdWSMyKYaN4= Certum CA +mACOLtu3K61C2i/LBqwaqgsubgxy6MogT7r9G7SHlEE= Common Policy +mAki7uB/hrx/Xl6V1X24va5o4XpCHE5yqWpwioeSASQ= Microsec e-Szigno Root CA +mLPxCgJQQZEPGXzxfKD83+11+yyMFKhD4E1WVsnrrBo= DST Root CA X4 +myGdD7/zal+zIJBXGQa87qaGF8gzo/YbgeliqOZNuK8= Apple Root CA - G3 +nG9qEjy6pO402+zu4kyX1ziHjLQj88InOQNCT10fbdU= Thawte Server CA +nZih+2BTjEzEhX/xqMgDT69vxZIJP2GZlLLIE9JQuGQ= Class 1 Primary CA +ncOKntz4KEK2dNoYa21iFaueLsbXL1ewioknKMMUMfM= SecureSign RootCA3 +ndVfxXP1RstqODHRES2HEKb0+C3If1+unToaAo3Tbks= China Internet Network Information Center EV Certificates Root +nsxRNo6G40YPZsKV5JQt1TCA8nseQQr/LRqp1Oa8fnw= Entrust.net Secure Server Certification Authority +odRdBilzQbHzpzXPo48oPmh5/sBigaNh5fQXzHDSnck= CA DATEV BT 02 +olpyFMK2yGFCraOd/y1z2GWqV4Q/3S23ez/r+CaD3i0= I.CA - Qualified Certification Authority, 09 +otyYyny77hgislsme9XKUC+nsM9P/wcD7mpBZwPzx+o= Class 3 Primary CA +p5jZL3bJxnVeX1X4bNFK7cwGVTceJ8zeA3d0XOPFABM= Certipost E-Trust Primary Qualified CA +pAA71b3YlOAajgHga2LHqoLwPeUlMTNXCq1P0OfYHTw= NetLock Kozjegyzoi (Class A) Tanusitvanykiado +pLibtwZW6kmPLZ4ApJf9udzSC4G4k46VK7ot+fZXKcM= Halcom CA FO +pRovOgUOg4pQUGlleNu+2qwaEH7i2dSPrlBdGNDaXPg= /C=TW/O=Government Root Certification Authority +puEf8V7DJqXj8YrTOgVmlNyExpl2bQKKWtDv4ajlOsc= Visa eCommerce Root +pvH5v4oKndwID7SbHvw9GhwsMtwOE2pbAMlzFvKj3BE= Equifax Secure Global eBusiness CA-1 +q1zbM1Y5c1bW5pGXPCW4YYtl12qQSG6nqKXBd2f0Zzo= TC TrustCenter Universal CA III +q5hJUnat8eyv8o81xTBIeB5cFxjaucjmelBPT2pRMo8= GeoTrust Primary Certification Authority - G3 +qBKTRF2xlqIDD55FX+PHSppPgxewKwFAYCeocIF0Q0w= /C=TW/O=Government Root Certification Authority +qGvauPSAtuuJQquRcL3QmRlxp60TXfu8tyhfB6fR44o= UCA Root +qHRDs9iW6yV8zOmbla2pvIG5204xQqqama8JQssKSjo= /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA +qZlyzh9sWB0Al/YmGAYuUxV7Unbh7GZRoxVwV/BXszk= WellsSecure Public Root Certificate Authority +qhwr7bGlCLqtf7P14CiXuQfHSN6pt5CJBKrb0El6q2o= Sonera Class1 CA +qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU= Certum Trusted Network CA +qzh2w9pd4MnPZzaGjuW4i/m6Hf+cnXLS/lqNL3gwIWY= Thawte Timestamping CA +qzmksCWVVpGkAmnzU/odXLlOr2x+qYCEhLu7Yv2faPM= TC TrustCenter Universal CA II +r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E= DigiCert Global Root CA +rPZeHWLLWKK6/W/6tA+4hpnEc5fPXLSD1C1pytNM1Is= TC TrustCenter Class 2 CA II +ryB8Yf2cfPksKv6BVCgtw/LL8y91zRcoFMUrA7frwlg= Symantec Class 2 Public Primary Certification Authority - G6 +sD2HsFbQjMnU5nXvGcqDq1NTIWioJYWYvnLm2Fx918E= Buypass Class 3 Root CA +sIP/U29/SKkIHilKAYe1PoGXcUAtnUgQMG3gMQJOX0Y= AC1 RAIZ MTIN +sPbxW0gX6+b+C0v819Os5MdYsKtvip2i7ZLmGCOdnJg= ACEDICOM Root +sRJBQqWhpaKIGcc1NA7/jJ4vgWj+47oYfyU7waOS1+I= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority +sh0qdDMYcSuhbzmRnZYaS6+6O8qaQ6dbH8/iLF1wyro= EC-ACC +st71NirT+s0EvSkEekOET3ZwNOpIkvgOVr7mkCQ+JQI= TC TrustCenter Universal CA I +sxguKJrjTd8r5kOrecJEMBYF+g8equbRD7kpYAr4TfA= Certipost E-Trust Primary Normalised CA +tKA56vxDELqb3gk+24+dnQs9THwATUgojDXbzBlGfRg= /O=RSA Security Inc/OU=RSA Security 2048 V3 +tjjP8FyKgydY7cMCivni1VUUVovGuzSrNtFAuXrGsS0= Buypass Class 2 CA 1 +u0Eo7JYg8tKknOjixOJXrrrZOg8RxWtfpLAOI3Wfo50= SecureSign RootCA11 +uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc= DigiCert Global Root G3 +vM6OK7rucbY1jd1kHLv8Jd5FQAMAYnH3W1C3JtZ8O8k= SZAFIR ROOT CA +vPtEqrmtAhAVcGtBIep2HIHJ6IlnWQ9vlK50TciLePs= GeoTrust Primary Certification Authority - G2 +vRU+17BDT2iGsXvOi76E7TQMcTLXAqj0+jGPdW7L1vM= AAA Certificate Services +vj23t5v+V53PmwfKTK11r/FpdVaOW0XPyuTWH7Yxdag= QuoVadis Root Certification Authority +vt2LyX6oZJcZWgeKmZojegYK664HvAoLm3eJgrpfYvQ= Halcom CA PO 2 +wGyHL8LQrAjXjUIZgfvaTjVQDQlG95iU7dIawp3sBxk= ComSign Global Root CA +wa0bGJjsOVBI3wcL+iF+JckTvtjKa3PeCFUohGoBA8E= E-Tugra Certification Authority x/Q7TPW3FWgpT4IrU3YmBfbd0Vyt7Oc56eLDy6YenWc= AffirmTrust Premium +x/WEI22GOV6Pb4LAEIhqLFbgcaahw+0odrijpyxe+7U= I.CA - Standard Certification Authority, 09 +x0YSfF9rUpzp4pSO/ZRlRECJMZrPA/NNC/N+rcd9si8= KISA RootCA 1 +x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4= USERTrust RSA Certification Authority +xES1tmzl1x4bXkDyc4XJXL/SSgW1b3DKwJkvD1DDN5w= TWCA Global Root CA +xWl76RzWVVObVgdY6RtuCFRhYjdBA0xIXkfX6dJaA8A= /C=JP/O=LGPKI/OU=Application CA G2 +xeolnGKYA1CGSfAhd/Y8MvqFzErVw18NVBxF3xCkn9c= PSCProcert +xzr8Lrp3DQy8HuQfJStS6Kk9ErctzOwDHY2DnL+Bink= AddTrust Qualified CA Root +y+WsFdiLXKw/gebfO/tXvqYJWIE6R7d/PFy2uYGRvbU= Juur-SK +y26RcRrW1VyJBvN5ywcftcR5M2VKdBVhLu5mKfJvvNc= Swisscom Root CA 2 +yZBbDuASAik8oCbmTwhBJELFUEwG5Eyn6XJtYfIOQIk= Microsoft Root Certificate Authority 2010 +zEmXhjyMSKTLXD5lN9wGAo2GOL5J9fiiulby8siox3k= UCA Global Root +ziTrBibe/YFoyWp3AfCTAWAP5d0NvOWOnJe4MK8C7yg= OISTE WISeKey Global Root GA CA +ztQ5AqtftXtEIyLcDhcqT7VfcXi4CPlOeApv1sxr2Bg= Chambers of Commerce Root - 2008 +zwtHSs6Eafq6QC8C7r354XANnL6L5OQ0hAe2ndMZbpQ= ComSign Secured CA diff --git a/t/10_ca_hashes_up_to_date.t b/t/10_ca_hashes_up_to_date.t new file mode 100755 index 0000000..722a312 --- /dev/null +++ b/t/10_ca_hashes_up_to_date.t @@ -0,0 +1,9 @@ +#!/usr/bin/env perl + +use strict; +use Test::More tests => 1; + + +my $newer_bundles=`find etc/*.pem -newer etc/ca_hashes.txt`; +is($newer_bundles,"","List of CA bundles newer then etc/ca_hashes.txt should be empty. If not run utils/create_ca_hashes.sh"); +done_testing; \ No newline at end of file diff --git a/utils/create_ca_hashes.sh b/utils/create_ca_hashes.sh new file mode 100755 index 0000000..631bdd9 --- /dev/null +++ b/utils/create_ca_hashes.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash +# +# vim:ts=5:sw=5:expandtab +# we have a spaces softtab, that ensures readability with other editors too + +# This file generates the file etc/ca_hashes.txt from the (root)certificate +# Bundles in etc (etc/*.pem) + +TEMPDIR="/tmp" +OPENSSL="bin/openssl.Darwin.x86_64 " + +# Check if we are in the right directory +if [[ ! -e etc ]]; then + echo "Please run this script from the base directory of the testssl.sh project" + exit 99 +fi + +echo "Extracting private key hashes from CA bundles" +echo -n > "$TEMPDIR/cahashes" +for bundle_fname in etc/*.pem; do + if [[ ! -r $bundle_fname ]]; then + echo "\"$bundle_fname\" cannot be found / not readable" + exit 99 + fi + bundle_name=$(echo -n $bundle_fname|sed s/^etc\\///|sed 's/\.pem$//') + echo "CA Bundle: $bundle_name" + # Split up the certificate bundle + awk -v n=-1 "BEGIN {start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") } + /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname + for cert_fname in $TEMPDIR/$bundle_name.*.$$.crt; do + echo -n "." + hpkp_key_ca="$( ( $OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | + $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64 ) 2>/dev/null )" + hpkp_name=$( $OPENSSL x509 -in "$cert_fname" -subject -noout 2>/dev/null | sed "s/^subject= //") + if [[ $(echo $hpkp_name|grep 'CN='|wc -l) -eq 1 ]]; then + hpkp_name=$(echo -n $hpkp_name|sed 's/^.*CN=//'|sed 's/\/.*$//') + fi + echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/cahashes" + done + echo +done + +# Make a backup first +cp etc/ca_hashes.txt etc/ca_hashes.txt.bak + +sort -u "$TEMPDIR/cahashes" > etc/ca_hashes.txt From 9133eddb9a7fe9948a5467d5d58737abfd0c7a18 Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 25 Jul 2016 10:57:10 +0200 Subject: [PATCH 10/11] Working unit tests again --- t/{02_hpkp_pinning.t => 11_hpkp.t} | 22 +++++++++++----------- testssl.sh | 29 +++++++++++++++-------------- 2 files changed, 26 insertions(+), 25 deletions(-) rename t/{02_hpkp_pinning.t => 11_hpkp.t} (77%) diff --git a/t/02_hpkp_pinning.t b/t/11_hpkp.t similarity index 77% rename from t/02_hpkp_pinning.t rename to t/11_hpkp.t index 8de07b1..6b8c3a0 100755 --- a/t/02_hpkp_pinning.t +++ b/t/11_hpkp.t @@ -18,45 +18,45 @@ $out = `./testssl.sh -H --jsonfile tmp.json --color 0 ssl.sectionzero.org`; $json = json('tmp.json'); # It is better to have findings in a hash -# Look for a leaf cert match in the process. +# Look for a host cert match in the process. my $found = 0; my %findings; foreach my $f ( @$json ) { $findings{$f->{id}} = $f; - if ( $f->{finding} =~ /matches the leaf certificate/ ) { + if ( $f->{finding} =~ /matches the host certificate/ ) { $found++; } } -is($found,1,"We found 1 'matches the leaf certificate' finding"); $tests++; -like($out,'/Leaf cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; +is($found,1,"We found 1 'matches the host certificate' finding"); $tests++; +like($out,'/Host cert match/',"There is a 'Leaf cert match' in the text output"); $tests++; # Sub CA match ok( exists $findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"},"We have a finding for key YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"); $tests++; like($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{finding},'/Intermediate CA key matches a key pinned in the HPKP header/',"We have our Sub CA finding"); $tests++; is($findings{"hpkp_YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Sub CA match \: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; +like($out,'/Sub CA match\: YLh1dUR9y6Kja30RrAn7JKnbQG\/uEtLMkBgFF2Fuihg/',"There is a 'Sub CA match' in the text output"); $tests++; # Root CA match Lets encrypt ok( exists $findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"},"We have a finding for key Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/DST Root CA X3/',"Correct Root CA"); $tests++; like($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{finding},'/The CA is part of the chain/',"CA is indeed part of chain"); $tests++; -is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Root CA match \: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; +is($findings{"hpkp_Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Root CA match\: Vjs8r4z\+80wjNcr1YKepWQboSIRi63WsWXhIMN\+eWys/',"There is a 'Root CA match' in the text output"); $tests++; # Root CA StartCom ok( exists $findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"},"We have a finding for key 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/Root CA key matches a key pinned in the HPKP header/',"This is a Root CA finding"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/StartCom Certification Authority/',"Correct Root CA"); $tests++; like($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{finding},'/The CA is not part of the chain/',"CA is indeed NOT part of chain"); $tests++; -is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "OK", "The finding is ok"); $tests++; -like($out,'/Root CA match \: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; +is($findings{"hpkp_5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Root CA match\: 5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU/',"There is a 'Root CA match' in the text output"); $tests++; # Bad PIN ok( exists $findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"},"We have a finding for key 123bad123bad123bad123bad123bad123bd123bad12"); $tests++; like($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{finding},'/doesn\'t match anything/',"It doesn't match indeed"); $tests++; -is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "WARN", "The finding is ok"); $tests++; -like($out,'/Unmatched key : 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; +is($findings{"hpkp_123bad123bad123bad123bad123bad123bd123bad12"}->{severity}, "INFO", "The finding is informational"); $tests++; +like($out,'/Unmatched key\: 123bad123bad123bad123bad123bad123bd123bad12/',"There is an 'unmatched key' in the text output"); $tests++; like($findings{hpkp_keys}->{finding},'/5 keys pinned/',"5 keys pinned in json"); $tests++; like($out,'/\# of keys: 5/',"5 keys pinned in text output"); $tests++; diff --git a/testssl.sh b/testssl.sh index cdb3dd5..aaad4dd 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1076,22 +1076,23 @@ run_hpkp() { for hpkp_key in $(echo $pins); do # exho needed here? ^^^^ key_found=false - # compare pin against the leaf certificate + # compare pin against the host certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then - out "\n$spaces Host cert match: " - pr_done_good "$hpkp_key" - fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the leaf certificate" + # We have a match key_found=true pins_match=true + out "\n$spaces Host cert match: " + pr_done_good "$hpkp_key" + fileout "hpkp_$hpkp_key" "OK" "PIN $hpkp_key matches the host certificate" fi debugme out "\n $hpkp_key | $hpkp_key_hostcert" # Check for intermediate match - if ! "$key_found"; then + if ! $key_found; then # doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null) if [[ -n $hpkp_matches ]]; then - # We have a winner! + # We have a match key_found=true pins_match=true out "\n$spaces Sub CA match: " @@ -1101,10 +1102,10 @@ run_hpkp() { fi fi - if ! "$key_found"; then + if ! $key_found; then hpkp_matches=$(grep -h "$hpkp_key" $ca_hashes | sort -u) if [[ -n $hpkp_matches ]]; then - # We have a winner! + # We have a match key_found=true pins_match=true if [[ $(count_lines "$hpkp_matches") -eq 1 ]]; then @@ -1128,19 +1129,19 @@ run_hpkp() { fi fi - if ! "$key_found" && [[ $DEBUG -eq 1 ]]; then - # Houston we may have a problem + if ! $key_found; then + # Most likely a backup pin out "\n\n$spaces Unmatched key: " out "$hpkp_key" - out "\n$spaces (This is OK for a backup pin of a leaf cert)" - fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a leaf certificate" + out "\n$spaces (This is OK for a backup pin of a host cert)" + fileout "hpkp_$hpkp_key" "INFO" "PIN $hpkp_key doesn't match anything. This could be ok if it is a backup pin for a host certificate" fi done # If all else fails... - if ! "$pins_match"; then + if ! $pins_match; then pr_svrty_high " No matching key for pins found " - fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your leaf certificate, intermediate CA or known root CAs. You may have bricked this site" + fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi else out "--" From dd10194977b37547ba22bd4d5de4b3745f65376e Mon Sep 17 00:00:00 2001 From: Frank Breedijk Date: Mon, 25 Jul 2016 11:02:05 +0200 Subject: [PATCH 11/11] Addressed comments by @drwetter It is OK for a site to pin a CA that is not part of the chain (like github.com does) This is a provision against a CA compromise (like diginotar) which could lead to a briked site in case of CA compromise. GitHub has built in multiple levels of security they have both backup pins for host certs and back pins for CAs (and I wouldn;t be surprised if they have a backup intermediate pin too). --- testssl.sh | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/testssl.sh b/testssl.sh index aaad4dd..765cb11 100755 --- a/testssl.sh +++ b/testssl.sh @@ -1056,8 +1056,8 @@ run_hpkp() { nrsaved=$(count_words "$(echo $TEMPDIR/level?.crt 2>/dev/null)") rm $TEMPDIR/level0.crt 2>/dev/null + echo -n > "$TEMPDIR/intermediate.hashes" if [[ nrsaved -ge 2 ]]; then - echo -n "" > "$TEMPDIR/intermediate.hashes" for cert_fname in $TEMPDIR/level?.crt; do hpkp_key_ca="$($OPENSSL x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | $OPENSSL base64 -d | $OPENSSL dgst -sha256 -binary | $OPENSSL enc -base64)" @@ -1067,14 +1067,11 @@ run_hpkp() { echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/intermediate.hashes" done fi - rm $TEMPDIR/level*.crt 2>/dev/null -# I'd like to keep all certs retrieved for debugging - - # Get keys from Root CAs + # This is where the matching magic happens... pins_match=false - for hpkp_key in $(echo $pins); do -# exho needed here? ^^^^ + has_backup_pin=false + for hpkp_key in $pins; do key_found=false # compare pin against the host certificate if [[ "$hpkp_key_hostcert" == "$hpkp_key" ]] || [[ "$hpkp_key_hostcert" == "$hpkp_key=" ]]; then @@ -1089,7 +1086,6 @@ run_hpkp() { # Check for intermediate match if ! $key_found; then -# doesn't work, "grep: /tmp/ssltester.Dp2ovS/intermediate.hashes: No such file or directory" if teested against testss.sh hpkp_matches=$(grep "$hpkp_key" $TEMPDIR/intermediate.hashes 2>/dev/null) if [[ -n $hpkp_matches ]]; then # We have a match @@ -1122,7 +1118,7 @@ run_hpkp() { out " (part of the chain)" fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is part of the chain" else -# there's a root CA match for github AND this message. + has_backup_pin=true out "\n$spaces This CA is not part of the chain and likely a backup PIN" fileout "hpkp_$hpkp_key" "INFO" "Root CA key matches a key pinned in the HPKP header. Key/OS/CA: $hpkp_matches. The CA is not part of the chain, this is a backup PIN" fi @@ -1131,6 +1127,7 @@ run_hpkp() { if ! $key_found; then # Most likely a backup pin + has_backup_pin=true out "\n\n$spaces Unmatched key: " out "$hpkp_key" out "\n$spaces (This is OK for a backup pin of a host cert)" @@ -1143,6 +1140,11 @@ run_hpkp() { pr_svrty_high " No matching key for pins found " fileout "hpkp_keymatch" "NOT ok" "None of the HPKP PINS match your host certificate, intermediate CA or known root CAs. You may have bricked this site" fi + + if ! $has_backup_pin; then + pr_svrty_high " No backup pins found. Loss/compromise of the currently pinned key(s) will lead to bricked site. " + fileout "hpkp_backup" "NOT ok" "No backup pins found. Loss/compromise of the currently pinned key(s) will lead to bricked site." + fi else out "--" fileout "hpkp" "INFO" "No support for HTTP Public Key Pinning"