[Bug 1014640] Re: 12.04/openssl refusing some verisign certified sites

Launchpad Bug Tracker 1014640 at bugs.launchpad.net
Thu Dec 5 13:48:14 UTC 2013 

This bug was fixed in the package ca-certificates - 20130906ubuntu1

---------------
ca-certificates (20130906ubuntu1) trusty; urgency=low

  * mozilla/certdata2pem.py: Work around openssl issue by shipping both
    versions of the same signed roots. Previously, the script would simply
    overwrite the first one found in the certdata.txt with the later one
    since they both have the same CKA_LABEL, resulting in identical
    filenames. (LP: #1014640)
 -- Marc Deslauriers <marc.deslauriers at ubuntu.com>   Wed, 04 Dec 2013 16:53:53 -0500

** Changed in: ca-certificates (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1014640

Title:
  12.04/openssl refusing some verisign certified sites

Status in OpenSSL cryptography and SSL/TLS toolkit:
  Confirmed
Status in “ca-certificates” package in Ubuntu:
  Fix Released
Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Summary: SSL refuses to work with some https sites on both 12.04,
  13.04, 13.10, for fresh and updated installations. It is an issue with
  OpenSSL's handling of certificates..

  Fix: none yet, Openssl needs to be fixed upstream.
  http://rt.openssl.org/Ticket/Display.html?id=2732

  WORKAROUND: 
  1) Copy the Root CA from Symantec's website https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1556
  2) Paste the contents into a file under "/usr/local/share/ca-certificates/" and Update: 
  $ sudo vi /usr/local/share/ca-certificates/<anyname>.crt 
  $ sudo update-ca-certificates 

  # You should see output similar to this: 
  Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. 
  Running hooks in /etc/ca-certificates/update.d....done. 

  
  ---- Original post ----
  After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
  On 10.04,
  curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
  works fine, on 12.04 it says:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

  This happens on some very well know bank sites , another example is https://postfinance.ch.
  Hence I think

  Analysis:
  - test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
  - curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
  - Calling ssl directly:
  openssl s_client -host cs.directnet.com -port 443
   says "self signed certificate in certificate chain", and the chain shown is:

  Certificate chain
   0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

  Now there are lots of certificates in /usr/share/ca-
  certificates/mozilla (148 of them, there were 123 in Lucid 10.04).

  Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
  Since this affects well know sites it would seems to be quite an important issue?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1014640/+subscriptions

More information about the foundations-bugs mailing list