Re: ARO Security

[Randy Bush <randy () psg com>]

i too get the amsl cert in response to an opelssl cert query with a
bog standard starfield class 2 chain

    % openssl s_client -connect secretariat.nanog.org:443
    CONNECTED(00000003)
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=27:certificate not trusted
    verify return:1
    depth=0 /OU=Domain Control Validated/CN=*.amsl.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Certificate chain
     0 s:/OU=Domain Control Validated/CN=*.amsl.com
       i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
     1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certificates.starfieldtech.com/repository/CN=Starfield Secure Certification 
Authority/serialNumber=10688435
       i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
     2 s:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
       i:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGRDCCBSygAwIBAgIJAInJ3xG7x0IgMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD

with chrome, https://secretariat.nanog.org gets me a redirect to
the insecure http://www.nanog.org/ (note lack of 's') via the
tls-failing cert, see above

> let's take the conversation off of nanog to spare the list.

one of the purposes of this list is for us to learn from eachother.  in
this case, techniques for diagnosing tls & cert issues are worth
sharing.  [ sadly, folk with bugs love to redirect discussion off public
media ]

randy