Since 04/25/2012, there seem to be some Twitter API servers using a new SSL certificate.
(The old one seems to expire in about three weeks time.)
The new SSL certificate is signed with a VeriSign Class 3 Secure Server CA - G3 root cert.
However, the intermediate cert / root cert provided by these Twitter API servers are the old ones:
VeriSign Class 3 Secure Server CA - G2
Here’s the output from openssl:
openssl s_client -showcerts -connect 199.59.149.232:443 -CAfile PCA-3G3.pem < /dev/null
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=San Francisco/O=Twitter, Inc./OU=Twitter Security/CN=api.twitter.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=San Francisco/O=Twitter, Inc./OU=Twitter Security/CN=api.twitter.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=San Francisco/O=Twitter, Inc./OU=Twitter Security/CN=api.twitter.com
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
0 s:/C=US/ST=California/L=San Francisco/O=Twitter, Inc./OU=Twitter Security/CN=api.twitter.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©10/CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa ©09/CN=VeriSign Class 3 Secure Server CA - G2
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=© 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
The SSL chain contains the G3 signed TwitterAPI cert but then the (regular) G2 root cert.
I don’t know if this is a problem for all SSL implementations, but at least on Symbian it doesn’t work this way.
A online SSL verification tool reported a broken intermediate / chain, too.
I’ve read similar reports from Opera users, Chrome users
