自从我将 Firefox 升级到版本 38 后,我在网站上发送某个表单时遇到了问题https://usercenter.checkpoint.com/网站大部分功能正常,但在开立支持工单时发送表单(URL 见下方日志)会导致 Firefox TLS 协商失败。Firefox 的错误页面几乎没有解释任何内容:
安全连接失败
页面加载时与服务器的连接被重置。
- 无法显示您尝试查看的页面,因为无法验证所接收数据的真实性。
- 请联系网站所有者并告知他们此问题。
报告此错误
报告 usercenter.checkpoint.com 的地址和证书信息将帮助我们识别和阻止恶意网站。感谢您帮助创建更安全的网络!
将来自动报告错误 了解更多…
在里面Web 开发人员控制台我只看到这个:
19:58:44.470 This site makes use of a SHA-1 Certificate; it's recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.1 AjaxCall
19:58:44.589 POST https://usercenter.checkpoint.com/usercenter/portal/js_pane/supportId,CreateServiceRequestId [178ms]
第一行只是警告,将来将不再支持 SHA-1。我是否必须打开某些东西才能查看 TLS 失败的原因?控制台中的 TLS 和证书信息如下:
我没发现有什么问题。出于绝望,我尝试使用 TLS 参数about:config没有成功:
security.tls.insecure_fallback_hosts
security.tls.unrestricted_rc4_fallback
security.tls.version.fallback-limit
security.tls.version.max
security.tls.version.min
Qualy SSL 测试没有显示任何完全错误的内容:https://www.ssllabs.com/ssltest/analyze.html?d=usercenter.checkpoint.com
Red Hat 知识库中有一篇很有前途的文章:Firefox 38 和不兼容 TLS 版本的 SSL/TLS 服务器但该解决方案仅供付费客户使用。
我也检查过了Firefox 38 的站点兼容性。
问题
- 我该如何排查 TLS 失败的原因?
- 在 Firefox 中是否有其他用户可配置的白名单,我可以尝试添加失败网站的地址?
- 只有在发送某个表单后才出现失败,而控制台显示 POST 请求
usercenter.checkpoint.com与上次成功通信到同一个主机,这是什么原因造成的?
答案1
如何解决 Firefox 38 版以后出现的“安全连接失败”问题?
使用openssl s_client。对于这种事情,它是一把瑞士军刀。并用于openssl x509转储证书。
您通常会对{Issuer, Subject}链中的如下对感兴趣:
Certificate chain
0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
注意服务器上的颁发者如何成为下一个更高证书的主体。Gutmann 在他的书中提供了下图来描述这一点工程安全:
在最顶层,CA 根证书是自签名的,颁发机构和主题都相同。如果存在 3 级证书,则为:
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
但你通常不会在链中看到它,因为你必须信任它。信任锚的部分要求是你已经拥有它,以确保它不会被篡改。
使用主题和发行者名称就是利用所谓的专有名称. 形成链条的另一种方法是KEYIDs。有时你会看到它主题密钥标识符(滑雪)授权密钥标识符(AKI)。密钥标识符只是经过摘要的公钥的指纹。
您可以在专有名称在类似的标准中RFC 4514;并使用密钥ID在类似的标准中RFC 4518,它涉及路径构建。
问题似乎出在浏览器上(但请参见下文)。它似乎缺少Class 3 Public Primary Certification Authority指纹a1 db 63 93 91 6f 17 e4 18 55 09 40 04 15 c7 02 40 b0 ae 6b。
当我访问赛门铁克根证书并下载三级公共主要认证机构,我可以建立一个验证路径(请注意Verify return code: 0 (ok)下文)。
您应该下载并安装Class 3 Public Primary Certification Authority在您的浏览器的受信任根存储中。或者确定浏览器为何不使用它来构建路径(见下文)。
Class 3 Public Primary Certification AuthorityMozilla 和 Firefox在博客文章中讨论:逐步淘汰 1024 位 RSA 密钥证书根据帖子,他们从 Firefox 32 开始就弃用了该 CA 证书。我其实并不怪他们,因为这些密钥长期用于 CA 签名操作,而且他们需要“更强大”的参数,因为它们必须存在 10 到 30 年(字面意思)。
Checkpoint 需要获取在具有当代参数的证书(链)下颁发的新服务器证书,例如具有 4096 位 RSA 模数和 SHA-256 的 CA。或者具有 2048 位 RSA 模数和 SHA-256 的下属 CA...
(另请参见下面对我不起作用的内容)。
以下是使用以下命令验证服务器证书的示例三级公共主要认证机构使用 OpenSSL 的s_client:
$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
-servername usercenter.checkpoint.com -CAfile Class-3-Public-Primary-Certification-Authority.pem
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = California, L = San Carlos, O = Check Point Software Technologies Inc., OU = MIS-US, CN = usercenter.checkpoint.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4310 bytes and written 600 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 141BB5DD85FA61CC85E5C8368DED9EB9C7C6427D7F655F8DD778EEB003F9EBE7
Session-ID-ctx:
Master-Key: 84261799D242992FE44D48F39F1A10CFCE5BE60E1A900CC3E6BFFD368DAB68A439287C81DC9510871963EF8E3366FFE3
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1432323605
Timeout : 7200 (sec)
Verify return code: 0 (ok)
我之前说过“从最上面看,CA 根是自签名的,并且发行和主题是相同的”。这是自签名 CA 根的转储,其中主题和颁发者相同。它还显示了 1024 位模数和 sha1WithRSAEncryption。
$ openssl x509 -in Class-3-Public-Primary-Certification-Authority.pem -inform PEM -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Validity
Not Before: Jan 29 00:00:00 1996 GMT
Not After : Aug 2 23:59:59 2028 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:c9:5c:59:9e:f2:1b:8a:01:14:b4:10:df:04:40:
db:e3:57:af:6a:45:40:8f:84:0c:0b:d1:33:d9:d9:
11:cf:ee:02:58:1f:25:f7:2a:a8:44:05:aa:ec:03:
1f:78:7f:9e:93:b9:9a:00:aa:23:7d:d6:ac:85:a2:
63:45:c7:72:27:cc:f4:4c:c6:75:71:d2:39:ef:4f:
42:f0:75:df:0a:90:c6:8e:20:6f:98:0f:f8:ac:23:
5f:70:29:36:a4:c9:86:e7:b1:9a:20:cb:53:a5:85:
e7:3d:be:7d:9a:fe:24:45:33:dc:76:15:ed:0f:a2:
71:64:4c:65:2e:81:68:45:a7
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
10:72:52:a9:05:14:19:32:08:41:f0:c5:6b:0a:cc:7e:0f:21:
19:cd:e4:67:dc:5f:a9:1b:e6:ca:e8:73:9d:22:d8:98:6e:73:
03:61:91:c5:7c:b0:45:40:6e:44:9d:8d:b0:b1:96:74:61:2d:
0d:a9:45:d2:a4:92:2a:d6:9a:75:97:6e:3f:53:fd:45:99:60:
1d:a8:2b:4c:f9:5e:a7:09:d8:75:30:d7:d2:65:60:3d:67:d6:
48:55:75:69:3f:91:f5:48:0b:47:69:22:69:82:96:be:c9:c8:
38:86:4a:7a:2c:73:19:48:69:4e:6b:7c:65:bf:0f:fc:70:ce:
88:90
我之前说过“Checkpoint 需要获取在具有当代参数的证书(链)下颁发的新服务器证书,例如具有 4096 位 RSA 模数和 SHA-256 的 CA。或者具有 2048 位 RSA 模数和 SHA-256 的下属 CA...”。
以下是没有对我有用:在更强大的从属 CA 中扎根或锚定信任VeriSign Class 3 Public Primary Certification Authority - G5,而不是较弱的 1024 位根 CA。
编辑:这是由于 OpenSSL 1.0.2a 及以下版本中的一个错误造成的。该问题已在 OpenSSL 1.0.2b 中修复。请参阅当链中的下属被提升为自签名根时,验证的预期行为是什么?
$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
-servername usercenter.checkpoint.com -CAfile VeriSign-Class-3-Public-Primary-Certification-Authority-G5.pem
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4310 bytes and written 600 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 736B3105DB22F2AB0F5D42C8161A8A132BF1E7C37464BB2F0D00058B867332EB
Session-ID-ctx:
Master-Key: BDD5D4951E3FD01C3C456D475EAE6D0D5CE53FBF75B4F6F3D4D186A27B566D75056057D5395F35AE3BA8D20A669212C2
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1432324811
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
实际问题是赛门铁克重新颁发了具有相同名称和相同公钥的证书,因此专有名称,主题密钥标识符和授权密钥标识符 没有改变;但只改变序列号。
由于链中发送的证书与从 Symantec 网站下载的证书的序列号不同,我能够在下面发现这一点。然后很明显,重新颁发的证书已从下属 CA 更改为根 CA。
您可以使用-showcertsOpenSSLs_client查看链中的证书:
$ openssl s_client -connect usercenter.checkpoint.com:443 -tls1 \
-servername usercenter.checkpoint.com -showcerts
CONNECTED(00000003)
...
---
Certificate chain
0 s:/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQbDQ79PGfSr9ppjYf2kOh4zANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwMjEx
MDAwMDAwWhcNMTYwMjI1MjM1OTU5WjCBnTELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEzARBgNVBAcUClNhbiBDYXJsb3MxLzAtBgNVBAoUJkNoZWNr
IFBvaW50IFNvZnR3YXJlIFRlY2hub2xvZ2llcyBJbmMuMQ8wDQYDVQQLFAZNSVMt
VVMxIjAgBgNVBAMUGXVzZXJjZW50ZXIuY2hlY2twb2ludC5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDeG4n8NH4KaU/DE4xg2TQNXmKkcslgsqcg
qZbo0QiuHpQTFXF9BbrG3Nv10bNBhe8FWyo1AwJK33PTs0WVeGyMBaVYBIR48C4D
gk+4JPncFWO6eq2eWxzg2yei/xPQwvGNGn0QNcGCUfPZE8Z+KhGUucxGcmlW/lLj
vG0XjCaYkgxUEgOx9rCWYnA5HSmPYYHTT7+lXdlqE4e5QHnRRm4p4iVPRBSAgs94
jtn7wgBf+xg81SqnZ3+gC6ggdd+HDk+PFC/8DsDEFxEJRe/uYhfmMLGZ0Lz9oitc
GIK8rPtylkgVTlNldo2TPsr/zdR43s9gQPpqM0niRQHLcHX83BG3AgMBAAGjggGJ
MIIBhTAkBgNVHREEHTAbghl1c2VyY2VudGVyLmNoZWNrcG9pbnQuY29tMAkGA1Ud
EwQCMAAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBDBgNVHSAEPDA6MDgGCmCGSAGG+EUBBzYwKjAoBggrBgEFBQcCARYcaHR0
cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAfBgNVHSMEGDAWgBQNRFwWU0TBgn4d
IKsl9AFj2L55pTBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vU1ZSU2VjdXJlLUcz
LWNybC52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY3JsMHYGCCsGAQUFBwEBBGow
aDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUF
BzAChjRodHRwOi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2Vj
dXJlRzMuY2VyMA0GCSqGSIb3DQEBBQUAA4IBAQBcO/j4DpV+SAh0xwrrulHW9sg0
ifgntImsZF10gY9P93mRf0rq8OdCeOejx45LZCDc1xgBGov0ehyiShy2pA7rQ93t
hvaMopAnKPi1KPApcwiDNAQ4dI5daUVI1MwvkFZsoxoHvx0IBQOYPgAjSUIE9Q9W
oa6/NqRh2hpZgg550cZhwzh5vbbRieGn6hS8qVCpYYs5N1+39vw+hFNqaTfjyIHF
Aq6UboCNvj28+ZU3U16rxGqu9JQBL/GvaqYXHXhLmXIe63Flv5VSPDA8EcjX7uzo
yt210nEvNhvDBmWA06tX3fYPiZvgf1tzzITVRUZxxZlpUdEuMrcCUB+UFAuO
-----END CERTIFICATE-----
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE0DCCBDmgAwIBAgIQJQzo4DBhLp8rifcFTXz4/TANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGbMIIBlzAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjA9
BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVy
aXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwbQYI
KwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
j+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nby5naWYwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC52ZXJpc2lnbi5jb20wPgYDVR0lBDcwNQYIKwYBBQUHAwEGCCsGAQUFBwMC
BggrBgEFBQcDAwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBMA0GCSqGSIb3DQEBBQUA
A4GBABMC3fjohgDyWvj4IAxZiGIHzs73Tvm7WaGY5eE43U68ZhjTresY8g3JbT5K
lCDDPLq9ZVTGr0SzEK0saz6r1we2uIFjxfleLuUqZ87NMwwq14lWAyMfs77oOghZ
tOxFNfeKW/9mz1Cvxm1XjRl4t7mi0VfqH5pLr7rJjhJ+xr3/
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=San Carlos/O=Check Point Software Technologies Inc./OU=MIS-US/CN=usercenter.checkpoint.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
...
我通常接下来会将证书链中的 PEM 编码证书复制到剪贴板,然后将其pbpaste粘贴到终端中并通过管道传输到 OpenSSL 的x509。例如,以下是VeriSign Class 3 Public Primary Certification Authority - G5作为证书链的一部分发送的 Level 2 证书:
$ pbpaste | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
...
答案2
通过在地址栏中输入 about:config,然后选择“我会小心的,我保证!”按钮即可解决此问题。此时双击 security.tls.insecure_fallback_hosts 选项,然后添加您要访问的地址。
我必须从我的地址中删除“https:\”(加上两个反斜杠,超级用户删除了我的第二个反斜杠)才能使其正常工作,但您的结果可能会有所不同,所以也许可以尝试两者。
从 Firefox 版本 43.0.1 开始这是准确的。
答案3
(来自其他答案)在这种情况下,赛门铁克需要修复其损坏的根证书页面或在选择 VeriSign Class 3 Public Primary Certification Authority - G5 时提供正确的证书供下载。
如果你看VeriSign 3 级公共主要认证机构 - G5链中提供openssl s_client ... -showcerts的VeriSign 3 级公共主要认证机构 - G5可供下载后,您会发现它们是不同的证书。因此,Verisign 重新颁发了具有相同专有名称和主题公钥的证书。
链式版本VeriSign 3 级公共主要认证机构 - G5具有以下序列号,并且不是自签名(请注意主题和发行者不同):
$ pbpaste | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
25:0c:e8:e0:30:61:2e:9f:2b:89:f7:05:4d:7c:f8:fd
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Nov 7 23:59:59 2021 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
...
下载的版本来自赛门铁克根证书的VeriSign 3 级公共主要认证机构 - G5 具有以下序列号,并且是自签名(注意主题和发行者是相同的):
$ openssl x509 -in VeriSign-Class-3-Public-Primary-Certification-Authority-G5.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Nov 8 00:00:00 2006 GMT
Not After : Jul 16 23:59:59 2036 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
...
这里实际上只有一个解决方法。
检查站应停止发送旧版 VeriSign 3 级公共主要认证机构 - G5链中的从属者。
这是因为在实践中,那些验证路径和选择证书的人会感到困惑,因为旧G5证书和新的G5证书太相似了。它们太相似了,因为它们使用了相同的专有名称和相同主题密钥标识符/授权密钥标识符。
理论上,你可以提取旧G5证书从服务器发送的链中取出并放入 Mozilla Trust Store。但我强烈怀疑这会混淆试图建立路径的用户代理,因为唯一改变的就是序列号。
要理解这种混淆,请查看RFC 4158以及如何选择证书。一种方法是{Distinguished Name, Serial Number}元组。但正在验证证书才不是包括发行人的序列号。它只包括专有名称和授权密钥标识符。
第 3.5.12 节匹配密钥标识符 (KID) 确实规定:
如果当前证书在 AKID 中表达了颁发者名称和序列号,则与这两个标识符匹配的证书具有最高优先级。
但这不是必需的,而且 Symantec 提供的盗版软件中也没有。要亲眼看到它,请转储链中发送的 1 级中间体。它被称为VeriSign 3 级安全服务器 CA - G3。请注意,它有一个授权密钥标识符, 但不是序列号:
$ pbpaste | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
6e:cc:7a:a5:a7:03:20:09:b8:ce:bc:f4:e9:52:d4:91
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5
Validity
Not Before: Feb 8 00:00:00 2010 GMT
Not After : Feb 7 23:59:59 2020 GMT
Subject: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b1:87:84:1f:c2:0c:45:f5:bc:ab:25:97:a7:ad:
a2:3e:9c:ba:f6:c1:39:b8:8b:ca:c2:ac:56:c6:e5:
bb:65:8e:44:4f:4d:ce:6f:ed:09:4a:d4:af:4e:10:
9c:68:8b:2e:95:7b:89:9b:13:ca:e2:34:34:c1:f3:
5b:f3:49:7b:62:83:48:81:74:d1:88:78:6c:02:53:
f9:bc:7f:43:26:57:58:33:83:3b:33:0a:17:b0:d0:
4e:91:24:ad:86:7d:64:12:dc:74:4a:34:a1:1d:0a:
ea:96:1d:0b:15:fc:a3:4b:3b:ce:63:88:d0:f8:2d:
0c:94:86:10:ca:b6:9a:3d:ca:eb:37:9c:00:48:35:
86:29:50:78:e8:45:63:cd:19:41:4f:f5:95:ec:7b:
98:d4:c4:71:b3:50:be:28:b3:8f:a0:b9:53:9c:f5:
ca:2c:23:a9:fd:14:06:e8:18:b4:9a:e8:3c:6e:81:
fd:e4:cd:35:36:b3:51:d3:69:ec:12:ba:56:6e:6f:
9b:57:c5:8b:14:e7:0e:c7:9c:ed:4a:54:6a:c9:4d:
c5:bf:11:b1:ae:1c:67:81:cb:44:55:33:99:7f:24:
9b:3f:53:45:7f:86:1a:f3:3c:fa:6d:7f:81:f5:b8:
4a:d3:f5:85:37:1c:b5:a6:d0:09:e4:18:7b:38:4e:
fa:0f
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://ocsp.verisign.com
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.23.3
CPS: https://www.verisign.com/cps
User Notice:
Explicit Text: https://www.verisign.com/rpa
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.verisign.com/pca3-g5.crl
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
1.3.6.1.5.5.7.1.12:
0_.].[0Y0W0U..image/gif0!0.0...+..............k...j.H.,{..0%.#http://logo.verisign.com/vslogo.gif
X509v3 Subject Alternative Name:
DirName:/CN=VeriSignMPKI-2-6
X509v3 Subject Key Identifier:
0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5
X509v3 Authority Key Identifier:
keyid:7F:D3:65:A7:C2:DD:EC:BB:F0:30:09:F3:43:39:FA:02:AF:33:31:33
Signature Algorithm: sha1WithRSAEncryption
0c:83:24:ef:dd:c3:0c:d9:58:9c:fe:36:b6:eb:8a:80:4b:d1:
a3:f7:9d:f3:cc:53:ef:82:9e:a3:a1:e6:97:c1:58:9d:75:6c:
e0:1d:1b:4c:fa:d1:c1:2d:05:c0:ea:6e:b2:22:70:55:d9:20:
33:40:33:07:c2:65:83:fa:8f:43:37:9b:ea:0e:9a:6c:70:ee:
f6:9c:80:3b:d9:37:f4:7a:6d:ec:d0:18:7d:49:4a:ca:99:c7:
19:28:a2:be:d8:77:24:f7:85:26:86:6d:87:05:40:41:67:d1:
27:3a:ed:dc:48:1d:22:cd:0b:0b:8b:bc:f4:b1:7b:fd:b4:99:
a8:e9:76:2a:e1:1a:2d:87:6e:74:d3:88:dd:1e:22:c6:df:16:
b6:2b:82:14:0a:94:5c:f2:50:ec:af:ce:ff:62:37:0d:ad:65:
d3:06:41:53:ed:02:14:c8:b5:58:28:a1:ac:e0:5b:ec:b3:7f:
95:4a:fb:03:c8:ad:26:db:e6:66:78:12:4a:d9:9f:42:fb:e1:
98:e6:42:83:9b:8f:8f:67:24:e8:61:19:b5:dd:cd:b5:0b:26:
05:8e:c3:6e:c4:c8:75:b8:46:cf:e2:18:06:5e:a9:ae:a8:81:
9a:47:16:de:0c:28:6c:25:27:b9:de:b7:84:58:c6:1f:38:1e:
a4:c4:cb:66