Issues with OpenSSL but NOT with NMap? why? "unable to get local issuer certificate"

Hi

I’m checking an issue where the Qualys EE generated a report identifying a point of vulnerability with the following issue, “unable to get local issuer certificate”; I proceed to test with OpenSSL to validate through the terminal, and yes, OpenSSL shows the same case; but when I use a different tool like Namp y SSLab, and everything shows good!, with a verify CA and the complete chain, why its the different, where its the issue about? any orientation about it? Is this an issue with Kong? I have the Cert and CA in Kong.

$ openssl s_client -connect api-gateway.domain.com:443
CONNECTED(00000006)
depth=0 C = DO, ST = SDQ, L = SDQ, OU = OU, O = O, CN = *.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DO, ST = SDQ, L = SDQ, OU = OU, O = O, CN = *.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1


$ nmap --script ‘ssl*’ -p 443 api-gateway.domain.com
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-08 21:06 AST
Nmap scan report for api-gateway.domain.com ()
Host is up (0.022s latency).
Other addresses for api-gateway.domain.com (not scanned):
rDNS record for : adsl

PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=.domain.com/organizationName=O/stateOrProvinceName=SDQ/countryName=DO
| Subject Alternative Name: DNS:
.domain.com, DNS:domain.com
| Issuer: commonName=GlobalSign Organization Validation CA - SHA256 - G2/organizationName=GlobalSign nv-sa/countryName=BE
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2018-02-01T22:01:01
| Not valid after: 2021-02-01T22:01:01
| MD5: 9999 f1db a2bd 637c 86d3 4733 228a 5fd8
|_SHA-1: dab1 d779 f52c 394e c966 ef2b e1a3 27cf 8c3b fc2e
|ssl-date: TLS randomness does not represent time
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A
| compressors:
| NULL
| cipher preference: client
|
least strength: A

_sslv2-drown:

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ