void ssl_excert_free(SSL_EXCERT *exc);
int args_excert(int option, SSL_EXCERT **pexc);
int load_excert(SSL_EXCERT **pexc);
+void print_verify_detail(SSL *s, BIO *bio);
void print_ssl_summary(SSL *s);
#ifdef HEADER_SSL_H
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
if (verify_depth >= depth) {
if (!verify_return_error)
ok = 1;
- verify_error = X509_V_OK;
+ verify_error = err;
} else {
ok = 0;
verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
BIO_puts(bio_err, "\n");
}
+/*
+ * Hex encoder for TLSA RRdata, not ':' delimited.
+ */
+static char *hexencode(const unsigned char *data, size_t len)
+{
+ static const char *hex = "0123456789abcdef";
+ char *out;
+ char *cp;
+ size_t outlen = 2 * len + 1;
+ int ilen = (int) outlen;
+
+ if (outlen < len || ilen < 0 || outlen != (size_t)ilen) {
+ BIO_printf(bio_err, "%s: %" PRIu64 "-byte buffer too large to hexencode\n",
+ opt_getprog(), (uint64_t)len);
+ exit(1);
+ }
+ cp = out = app_malloc(ilen, "TLSA hex data buffer");
+
+ while (ilen-- > 0) {
+ *cp++ = hex[(*data >> 4) & 0x0f];
+ *cp++ = hex[*data++ & 0x0f];
+ }
+ *cp = '\0';
+ return out;
+}
+
+void print_verify_detail(SSL *s, BIO *bio)
+{
+ int mdpth;
+ EVP_PKEY *mspki;
+ long verify_err = SSL_get_verify_result(s);
+
+ if (verify_err == X509_V_OK) {
+ const char *peername = SSL_get0_peername(s);
+
+ BIO_printf(bio, "Verification: OK\n");
+ if (peername != NULL)
+ BIO_printf(bio, "Verified peername: %s\n", peername);
+ } else {
+ const char *reason = X509_verify_cert_error_string(verify_err);
+
+ BIO_printf(bio, "Verification error: %s\n", reason);
+ }
+
+ if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) {
+ uint8_t usage, selector, mtype;
+ const unsigned char *data = NULL;
+ size_t dlen = 0;
+ char *hexdata;
+
+ mdpth = SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, &data, &dlen);
+
+ /*
+ * The TLSA data field can be quite long when it is a certificate,
+ * public key or even a SHA2-512 digest. Because the initial octets of
+ * ASN.1 certificates and public keys contain mostly boilerplate OIDs
+ * and lengths, we show the last 12 bytes of the data instead, as these
+ * are more likely to distinguish distinct TLSA records.
+ */
+#define TLSA_TAIL_SIZE 12
+ if (dlen > TLSA_TAIL_SIZE)
+ hexdata = hexencode(data + dlen - TLSA_TAIL_SIZE, TLSA_TAIL_SIZE);
+ else
+ hexdata = hexencode(data, dlen);
+ BIO_printf(bio, "DANE TLSA %d %d %d %s%s %s at depth %d\n",
+ usage, selector, mtype,
+ (dlen > TLSA_TAIL_SIZE) ? "..." : "", hexdata,
+ (mspki != NULL) ? "signed the certificate" :
+ mdpth ? "matched TA certificate" : "matched EE certificate",
+ mdpth);
+ OPENSSL_free(hexdata);
+ }
+}
+
void print_ssl_summary(SSL *s)
{
const SSL_CIPHER *c;
peer = SSL_get_peer_certificate(s);
if (peer) {
int nid;
+
BIO_puts(bio_err, "Peer certificate: ");
X509_NAME_print_ex(bio_err, X509_get_subject_name(peer),
0, XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n");
if (SSL_get_peer_signature_nid(s, &nid))
BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid));
+ print_verify_detail(s, bio_err);
} else
BIO_puts(bio_err, "No peer certificate\n");
X509_free(peer);
const SSL_CIPHER *c;
X509_NAME *xn;
int i;
- int mdpth;
- EVP_PKEY *mspki;
- const char *peername;
#ifndef OPENSSL_NO_COMP
const COMP_METHOD *comp, *expansion;
#endif
BIO_number_read(SSL_get_rbio(s)),
BIO_number_written(SSL_get_wbio(s)));
}
- if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) {
- uint8_t usage, selector, mtype;
- mdpth = SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL);
- BIO_printf(bio, "DANE TLSA %d %d %d %s at depth %d\n",
- usage, selector, mtype,
- (mspki != NULL) ? "TA public key verified certificate" :
- mdpth ? "matched TA certificate" : "matched EE certificate",
- mdpth);
- }
- if (SSL_get_verify_result(s) == X509_V_OK &&
- (peername = SSL_get0_peername(s)) != NULL)
- BIO_printf(bio, "Verified peername: %s\n", peername);
+ print_verify_detail(s, bio);
BIO_printf(bio, (SSL_session_reused(s) ? "---\nReused, " : "---\nNew, "));
c = SSL_get_current_cipher(s);
BIO_printf(bio, "%s, Cipher is %s\n",
const char *X509_verify_cert_error_string(long n)
{
- static char buf[100];
-
switch ((int)n) {
case X509_V_OK:
return ("ok");
+ case X509_V_ERR_UNSPECIFIED:
+ return ("unspecified certificate verification error");
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
return ("unable to get issuer certificate");
case X509_V_ERR_UNABLE_TO_GET_CRL:
return ("Email address mismatch");
case X509_V_ERR_IP_ADDRESS_MISMATCH:
return ("IP address mismatch");
+ case X509_V_ERR_DANE_NO_MATCH:
+ return ("No matching DANE TLSA records");
default:
- BIO_snprintf(buf, sizeof buf, "error number %ld", n);
- return (buf);
+ /* Printing an error number into a static buffer is not thread-safe */
+ return ("unknown certificate verification error");
}
}
X509_verify(cert, t->spki) <= 0)
continue;
- /* Clear PKIX-?? matches that failed to panned out to a full chain */
+ /* Clear any PKIX-?? matches that failed to extend to a full chain */
X509_free(dane->mcert);
dane->mcert = NULL;
return 0;
ctx->current_cert = cert;
ctx->error_depth = 0;
- ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+ ctx->error = X509_V_ERR_DANE_NO_MATCH;
return ctx->verify_cb(0, ctx);
}
ctx->error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
else if (DANETLS_ENABLED(dane) &&
(!DANETLS_HAS_PKIX(dane) || dane->pdpth >= 0))
- ctx->error = X509_V_ERR_CERT_UNTRUSTED;
+ ctx->error = X509_V_ERR_DANE_NO_MATCH;
else if (ss && sk_X509_num(ctx->chain) == 1)
ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
else if (ss)
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
else
ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
- if (DANETLS_ENABLED(dane))
- dane_reset(dane);
return ctx->verify_cb(0, ctx);
}
}
data, with the last of these encoded in hexadecimal. Optional
whitespace is ignored in the associated data field. For example:
- $ openssl s_client -starttls smtp -connect smtp.example.com:25 \
+ $ openssl s_client -brief -starttls smtp \
+ -connect smtp.example.com:25 \
-dane_tlsa_domain smtp.example.com \
-dane_tlsa_rrdata "2 1 1
B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E 02CF362B" \
-dane_tlsa_rrdata "2 1 1
60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18"
- CONNECTED(00000003)
...
- DANE TLSA 2 1 1 matched TA certificate at depth 1
+ Verification: OK
Verified peername: smtp.example.com
- ...
- Verify return code: 0 (ok)
+ DANE TLSA 2 1 1 ...ee12d2cc90180517616e8a18 matched TA certificate at depth 1
...
=item B<-attime>, B<-check_ss_sig>, B<-crl_check>, B<-crl_check_all>,
The return value is negative if DANE verification failed (or was not enabled),
0 if an EE TLSA record directly matched the leaf certificate, or a positive
number indicating the depth at which a TA record matched an issuer certificate.
+The complete verified chain can be retrieved via L<SSL_get0_verified_chain(3)>.
+The return value is an index into this verified chain, rather than the list of
+certificates sent by the peer as returned by L<SSL_get_peer_cert_chain(3)>.
If the B<mcert> argument is not B<NULL> and a TLSA record matched a chain
certificate, a pointer to the matching certificate is returned via B<mcert>.
SSL_set_verify(ssl, SSL_VERIFY_NONE, cb);
}
+ /*
+ * Load any saved session for resumption, making sure that the previous
+ * session applied the same security and authentication requirements that
+ * would be expected of a fresh connection.
+ */
+
/* Perform SSL_connect() handshake and handle errors here */
- if (SSL_get_verify_result(ssl) == X509_V_OK) {
+ if (SSL_session_resumed(ssl)) {
+ if (SSL_get_verify_result(ssl) == X509_V_OK) {
+ /*
+ * Resumed session was originally verified, this connection is
+ * authenticated.
+ */
+ } else {
+ /*
+ * Resumed session was not originally verified, this connection is not
+ * authenticated.
+ */
+ }
+ } else if (SSL_get_verify_result(ssl) == X509_V_OK) {
const char *peername = SSL_get0_peername(ssl);
EVP_PKEY *mspki = NULL;
L<SSL_set_tlsext_host_name(3)>,
L<SSL_set_verify(3)>,
L<SSL_CTX_set_cert_verify_callback(3)>,
-L<X509_verify_cert(3)>,
+L<SSL_get0_verified_chain(3)>,
+L<SSL_get_peer_cert_chain(3)>,
+L<SSL_get_verify_result(3)>,
L<SSL_connect(3)>,
L<SSL_get0_peername(3)>,
-L<EVP_get_digestbyname(3)>,
+L<X509_verify_cert(3)>,
L<X509_up_ref(3)>,
L<X509_free(3)>,
+L<EVP_get_digestbyname(3)>,
L<EVP_PKEY_up_ref(3)>,
L<EVP_PKEY_free(3)>
# define X509_V_ERR_HOSTNAME_MISMATCH 62
# define X509_V_ERR_EMAIL_MISMATCH 63
# define X509_V_ERR_IP_ADDRESS_MISMATCH 64
+/* DANE TLSA errors */
+# define X509_V_ERR_DANE_NO_MATCH 65
/* The application is not happy */
# define X509_V_ERR_APPLICATION_VERIFICATION 50
{
struct dane_st *dane = &s->dane;
- if (!DANETLS_ENABLED(dane))
+ if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
if (dane->mtlsa) {
if (mcert)
{
struct dane_st *dane = &s->dane;
- if (!DANETLS_ENABLED(dane))
+ if (!DANETLS_ENABLED(dane) || s->verify_result != X509_V_OK)
return -1;
if (dane->mtlsa) {
if (usage)
args=(-algorithm "$alg")
case $alg in
rsa) args=("${args[@]}" -pkeyopt rsa_keygen_bits:$bits );;
- ecdsa) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
+ ec) args=("${args[@]}" -pkeyopt "ec_paramgen_curve:$bits")
args=("${args[@]}" -pkeyopt ec_param_enc:named_curve);;
*) printf "Unsupported key algorithm: %s\n" "$alg" >&2; return 1;;
esac
ok = verify_chain(ssl, chain);
sk_X509_pop_free(chain, X509_free);
err = SSL_get_verify_result(ssl);
+ /*
+ * Peek under the hood, normally TLSA match data is hidden when
+ * verification fails, we can obtain any suppressed data by setting the
+ * verification result to X509_V_OK before looking.
+ */
+ SSL_set_verify_result(ssl, X509_V_OK);
mdpth = SSL_get0_dane_authority(ssl, NULL, NULL);
+ /* Not needed any more, but lead by example and put the error back. */
+ SSL_set_verify_result(ssl, err);
SSL_free(ssl);
if (ok < 0) {
-----END CERTIFICATE-----
# 5
-1 1 27 -1
+1 1 65 -1
3 0 1 588FD5F414E3327EAFE3169DC040AE161247D1296BF38304AB9CF464850A1366
subject=
issuer=
-----END CERTIFICATE-----
# 6
-1 1 27 -1
+1 1 65 -1
3 1 1 05C66146D7909EAE2379825F6D0F5284146B79598DA12E403DC29C33147CF33F
subject=
issuer=
-----END CERTIFICATE-----
# 7
-1 1 27 -1
+1 1 65 -1
3 0 2 42BEE929852C8063A0D619B53D0DD35703BBAD2FC25F2055F737C7A14DDFEA544491F8C00F50FA083BD0AD1B5C98529994FF811BBA5E5170CC6EE9F3ED5563E2
subject=
issuer=
-----END CERTIFICATE-----
# 8
-1 1 27 -1
+1 1 65 -1
3 1 2 D91A3E5DC34879CD77AD1E989F56FA78FACADF05EF8D445EDF5652BD58EE392C87C02F84C0119D62309041F2D5128A73399DF25D1F47BCD497357EAF1A1009A4
subject=
issuer=
# 33
# Missing intermediate CA
-1 1 20 -1
+1 1 20 0
1 0 1 BEDC04764CECAE80AEE454D332758F50847DCA424216466E4012E0DEAE1F2E5F
subject= /CN=example.com
issuer= /CN=Issuer CA
# 35
# Wrong leaf digest
-1 3 27 -1
+1 3 65 -1
1 0 2 F756CCD61F3CA50D017653911701CA0052AF0B29E273DD263DD23643D86D4369D03686BD1369EF54BB2DC2DAE3CE4F05AF39D54648F94D54AA86B259AEAD9924
subject= /CN=example.com
issuer= /CN=Issuer CA
# 36
# Wrong intermediate digest
-1 2 27 -1
+1 2 65 -1
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBE
subject= /CN=example.com
issuer= /CN=Issuer CA
# 37
# Wrong root digest
-1 2 27 -1
+1 2 65 -1
0 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3D
subject= /CN=example.com
issuer= /CN=Issuer CA
## -- Mixed usage cases
# 38
-# DANE-EE beats DANE-TA
+# DANE-EE(3) beats DANE-TA(2)
1 3 0 0
3 1 2 CB861AF6DDED185EE04472A9092052CCC735120C34785E72C996C94B122EBA6F329BE630B1B4C6E2756E7A75392C21E253C6AEACC31FD45FF4595DED375FAF62
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
-----END CERTIFICATE-----
# 39
-# DANE-TA depth 1 beats DANE-TA depth 2
+# DANE-TA(2) depth 1 beats DANE-TA(2) depth 2
1 3 0 1
2 1 2 1F484106F765B6F1AC483CC509CDAD36486A83D1BA115F562516F407C1109303658408B455824DA0785A252B205DBEECB1AFB5DB869E8AAC242091B63F258F05
2 1 2 5F414D4D7BFDF22E39952D9F46C51370FDD050F10C55B4CDB42E40FA98611FDE23EEE9B23315EE1ECDB198C7419E9A2D6742860E4806AF45164507799C3B452E
-----END CERTIFICATE-----
# 40
-# DANE-TA depth 2 beats PKIX-TA depth 1
+# DANE-TA(2) depth 2 beats PKIX-TA(0) depth 1
1 3 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
-----END CERTIFICATE-----
# 41
-# DANE-TA depth 2 beats PKIX-EE depth 0
+# DANE-TA(2) depth 2 beats PKIX-EE depth 0
1 3 0 2
2 0 1 FE7C8E01110627A782765E468D8CB4D2CC7907EAC4BA5974CD92B540ED2AAC3C
0 0 1 0DAA76425A1FC398C55A643D5A2485AE4CC2B64B9515A75054722B2E83C31BBD
-----END CERTIFICATE-----
# 42
-# DANE-TA Full(0) root "from DNS":
+# DANE-TA(2) Full(0) root "from DNS":
1 2 0 2
2 0 0 308201643082010BA003020102020101300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233313330385A180F33303135303431353233313330385A30123110300E06035504030C07526F6F742043413059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76CA350304E301D0603551D0E04160414E4BD405F052A820DDF9883F93D7D3F90AAEC723F301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D040302034700304402206869E6AA9F9B4D4BF308091A5A7AB2C30E3619B0D75E528819468E4BB926F4C9022017F1B8458611966FBC109CAED3582966BF25FC0598EABA6C793C58DCC3537CC5
subject= /CN=example.com
-----END CERTIFICATE-----
# 43
-# DANE-TA Full(0) intermediate "from DNS":
+# DANE-TA(2) Full(0) intermediate "from DNS":
1 1 0 1
2 0 0 308201683082010DA003020102020102300A06082A8648CE3D04030230123110300E06035504030C07526F6F742043413020170D3135313231333233323030395A180F33303135303431353233323030395A30143112301006035504030C094973737565722043413059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AFA350304E301D0603551D0E041604147AB75A3CD295CA5DF7C5150916E18FF5CC376A15301F0603551D23041830168014E4BD405F052A820DDF9883F93D7D3F90AAEC723F300C0603551D13040530030101FF300A06082A8648CE3D0403020349003046022100831DCD882DA8785D50E41020898C0248879DDDF72D701D1DC1DE6BE08155B43E022100B84B2FB519C4CD3CBC791603D4488F7707597DB7980D9C173E7FDD0ECD7CA308
subject= /CN=example.com
-----END CERTIFICATE-----
# 44
-# DANE-TA(3) SPKI(1) Full(0) intermediate "from DNS":
+# DANE-TA(2) SPKI(1) Full(0) intermediate "from DNS":
1 1 0 0
2 1 0 3059301306072A8648CE3D020106082A8648CE3D030107034200047D4BAE18B49F5DC69D0A3C85C66A3E2119DE92CFAD081FAD55C12D510EC97B6C00E13695A8D9713548FE60DF15573390433E2A1BD92DB4B7AA016EC6185DC5AF
subject= /CN=example.com
-----END CERTIFICATE-----
# 45
-# DANE-TA(3) SPKI(1) Full(0) root "from DNS":
+# DANE-TA(2) SPKI(1) Full(0) root "from DNS":
1 2 0 1
2 1 0 3059301306072A8648CE3D020106082A8648CE3D03010703420004D1DA578FD18FB86456B0D91B5656BDD68D4DDBD250E337571127C75E0560F41D0AF91BFAF8805F80C28C026A14D4FE8C30A9673B9EC0C05A84AA810D1341B76C
subject= /CN=example.com
GcTNPLx5FgPUSI93B1l9t5gNnBc+f90OzXyjCA==
-----END CERTIFICATE-----
+# 46
+# Mismatched name "example.org", should still succeed given a
+# DANE-EE(3) match.
+1 3 0 0
+3 1 1 ee1477190203f5d8b4767f4451b89e7367cdec7f6965a4988227983562ac8270
+subject= CN = example.org
+issuer= CN = CA2
+notBefore=Feb 6 22:39:47 2016 GMT
+notAfter=Feb 7 22:39:47 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBkDCCATWgAwIBAgIBAjAKBggqhkjOPQQDAjAOMQwwCgYDVQQDDANDQTIwIBcN
+MTYwMjA2MjIzOTQ3WhgPMjExNjAyMDcyMjM5NDdaMBYxFDASBgNVBAMMC2V4YW1w
+bGUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/YCEn0pxClPTvpjioxU4
+ajopRa4j/6XTqxy9zqn1AcMCiVWp6j22B6RpLmKEHoRHQxFzebd2juTXIDq81CID
+z6N6MHgwHQYDVR0OBBYEFOrSA+2YKXa5KR6k0687CZuhai5OMB8GA1UdIwQYMBaA
+FLTY4vqgjcQ01aCcB8AYVbUhEU7VMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwCgYIKoZIzj0EAwIDSQAwRgIh
+AKSsLwlidPiSrgda6XWihov4D4KHu6ZX3ZAAZ2uiBAefAiEArCq5WiO3Zeunl0Ct
+PyDiaL1QKbJ7lnqPQCS1o8xn+RI=
+-----END CERTIFICATE-----
+subject= CN = CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:39:13 2016 GMT
+notAfter=Feb 7 22:39:13 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBYjCCAQigAwIBAgIBAjAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM5MTNaGA8yMTE2MDIwNzIyMzkxM1owDjEMMAoGA1UEAwwD
+Q0EyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYr6zgBxpsxA31IFiGyb6uaGC
+CQdNMyJfDgqCihsU1eOEuauzXO7tydCbjfRmhqQK1EGd254IjcGY+37tZEbvPKNQ
+ME4wHQYDVR0OBBYEFLTY4vqgjcQ01aCcB8AYVbUhEU7VMB8GA1UdIwQYMBaAFBRb
++/qrntsksembakoZTwTZk8AXMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAw
+RQIgX2fmMykyiuryf1AeKyc1j8HgmM8u/nyQfJnTCwvYUcECIQC6JHd3ybV9eJQo
+7sfr/jV+rRlZY2iaRv160BWYd82L7g==
+-----END CERTIFICATE-----
+subject= CN = Root CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:38:48 2016 GMT
+notAfter=Feb 7 22:38:48 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBATAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM4NDhaGA8yMTE2MDIwNzIyMzg0OFowEzERMA8GA1UEAwwI
+Um9vdCBDQTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATlTxAPKteg+L1LmxMl
+sbAFMxj6/322nR5RRGeF07KZRBFPaFZLgwZ1DuNrwM3wxxNdUyoZ6iAyDmwNf3K1
+42/Uo1AwTjAdBgNVHQ4EFgQUFFv7+que2ySx6ZtqShlPBNmTwBcwHwYDVR0jBBgw
+FoAUFFv7+que2ySx6ZtqShlPBNmTwBcwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
+fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
+-----END CERTIFICATE-----
+
+# 47
+# Mismatched name "example.org", should fail despite a DANE-TA(2)
+# match for the intermediate CA.
+1 3 62 1
+2 1 1 946af0956378efaba7ee1bbedc17af110ea8de19c079a98e77398724a3708a1f
+subject= CN = example.org
+issuer= CN = CA2
+notBefore=Feb 6 22:39:47 2016 GMT
+notAfter=Feb 7 22:39:47 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBkDCCATWgAwIBAgIBAjAKBggqhkjOPQQDAjAOMQwwCgYDVQQDDANDQTIwIBcN
+MTYwMjA2MjIzOTQ3WhgPMjExNjAyMDcyMjM5NDdaMBYxFDASBgNVBAMMC2V4YW1w
+bGUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/YCEn0pxClPTvpjioxU4
+ajopRa4j/6XTqxy9zqn1AcMCiVWp6j22B6RpLmKEHoRHQxFzebd2juTXIDq81CID
+z6N6MHgwHQYDVR0OBBYEFOrSA+2YKXa5KR6k0687CZuhai5OMB8GA1UdIwQYMBaA
+FLTY4vqgjcQ01aCcB8AYVbUhEU7VMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwCgYIKoZIzj0EAwIDSQAwRgIh
+AKSsLwlidPiSrgda6XWihov4D4KHu6ZX3ZAAZ2uiBAefAiEArCq5WiO3Zeunl0Ct
+PyDiaL1QKbJ7lnqPQCS1o8xn+RI=
+-----END CERTIFICATE-----
+subject= CN = CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:39:13 2016 GMT
+notAfter=Feb 7 22:39:13 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBYjCCAQigAwIBAgIBAjAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM5MTNaGA8yMTE2MDIwNzIyMzkxM1owDjEMMAoGA1UEAwwD
+Q0EyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYr6zgBxpsxA31IFiGyb6uaGC
+CQdNMyJfDgqCihsU1eOEuauzXO7tydCbjfRmhqQK1EGd254IjcGY+37tZEbvPKNQ
+ME4wHQYDVR0OBBYEFLTY4vqgjcQ01aCcB8AYVbUhEU7VMB8GA1UdIwQYMBaAFBRb
++/qrntsksembakoZTwTZk8AXMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAw
+RQIgX2fmMykyiuryf1AeKyc1j8HgmM8u/nyQfJnTCwvYUcECIQC6JHd3ybV9eJQo
+7sfr/jV+rRlZY2iaRv160BWYd82L7g==
+-----END CERTIFICATE-----
+subject= CN = Root CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:38:48 2016 GMT
+notAfter=Feb 7 22:38:48 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBATAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM4NDhaGA8yMTE2MDIwNzIyMzg0OFowEzERMA8GA1UEAwwI
+Um9vdCBDQTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATlTxAPKteg+L1LmxMl
+sbAFMxj6/322nR5RRGeF07KZRBFPaFZLgwZ1DuNrwM3wxxNdUyoZ6iAyDmwNf3K1
+42/Uo1AwTjAdBgNVHQ4EFgQUFFv7+que2ySx6ZtqShlPBNmTwBcwHwYDVR0jBBgw
+FoAUFFv7+que2ySx6ZtqShlPBNmTwBcwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
+fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
+-----END CERTIFICATE-----
+
+# 48
+# Mismatched name "example.org", should fail despite a DANE-TA(2)
+# match for the root CA.
+1 3 62 2
+2 1 1 34474f2fbc39da44dfbd11215bdafadf9507406c04de1f65dbd2a1bc4f2165cc
+subject= CN = example.org
+issuer= CN = CA2
+notBefore=Feb 6 22:39:47 2016 GMT
+notAfter=Feb 7 22:39:47 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBkDCCATWgAwIBAgIBAjAKBggqhkjOPQQDAjAOMQwwCgYDVQQDDANDQTIwIBcN
+MTYwMjA2MjIzOTQ3WhgPMjExNjAyMDcyMjM5NDdaMBYxFDASBgNVBAMMC2V4YW1w
+bGUub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/YCEn0pxClPTvpjioxU4
+ajopRa4j/6XTqxy9zqn1AcMCiVWp6j22B6RpLmKEHoRHQxFzebd2juTXIDq81CID
+z6N6MHgwHQYDVR0OBBYEFOrSA+2YKXa5KR6k0687CZuhai5OMB8GA1UdIwQYMBaA
+FLTY4vqgjcQ01aCcB8AYVbUhEU7VMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwFgYDVR0RBA8wDYILZXhhbXBsZS5vcmcwCgYIKoZIzj0EAwIDSQAwRgIh
+AKSsLwlidPiSrgda6XWihov4D4KHu6ZX3ZAAZ2uiBAefAiEArCq5WiO3Zeunl0Ct
+PyDiaL1QKbJ7lnqPQCS1o8xn+RI=
+-----END CERTIFICATE-----
+subject= CN = CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:39:13 2016 GMT
+notAfter=Feb 7 22:39:13 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBYjCCAQigAwIBAgIBAjAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM5MTNaGA8yMTE2MDIwNzIyMzkxM1owDjEMMAoGA1UEAwwD
+Q0EyMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEYr6zgBxpsxA31IFiGyb6uaGC
+CQdNMyJfDgqCihsU1eOEuauzXO7tydCbjfRmhqQK1EGd254IjcGY+37tZEbvPKNQ
+ME4wHQYDVR0OBBYEFLTY4vqgjcQ01aCcB8AYVbUhEU7VMB8GA1UdIwQYMBaAFBRb
++/qrntsksembakoZTwTZk8AXMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAw
+RQIgX2fmMykyiuryf1AeKyc1j8HgmM8u/nyQfJnTCwvYUcECIQC6JHd3ybV9eJQo
+7sfr/jV+rRlZY2iaRv160BWYd82L7g==
+-----END CERTIFICATE-----
+subject= CN = Root CA2
+issuer= CN = Root CA2
+notBefore=Feb 6 22:38:48 2016 GMT
+notAfter=Feb 7 22:38:48 2116 GMT
+-----BEGIN CERTIFICATE-----
+MIIBaDCCAQ2gAwIBAgIBATAKBggqhkjOPQQDAjATMREwDwYDVQQDDAhSb290IENB
+MjAgFw0xNjAyMDYyMjM4NDhaGA8yMTE2MDIwNzIyMzg0OFowEzERMA8GA1UEAwwI
+Um9vdCBDQTIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATlTxAPKteg+L1LmxMl
+sbAFMxj6/322nR5RRGeF07KZRBFPaFZLgwZ1DuNrwM3wxxNdUyoZ6iAyDmwNf3K1
+42/Uo1AwTjAdBgNVHQ4EFgQUFFv7+que2ySx6ZtqShlPBNmTwBcwHwYDVR0jBBgw
+FoAUFFv7+que2ySx6ZtqShlPBNmTwBcwDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQD
+AgNJADBGAiEAumhPWZ37swl10awM/amX+jv0UlUyJBf8RGA6QMG5bwICIQDbinER
+fEevg+GOsr1P6nNMCAsQd9NwsvTQ+jm+TBArWQ==
+-----END CERTIFICATE-----