[Bug 1014640] Re: 12.04/openssl refusing some verisign certified sites

Peter 1014640 at bugs.launchpad.net
Thu Aug 16 11:20:17 UTC 2012 

And the output from openssl on 12.04:

==================================================================

# openssl s_client -connect test.sagepay.com:443
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private Organization/serialNumber=01045967/C=GB/ST=TYNE AND WEAR/L=Newcastle Upon Tyne/O=Sage (UK) Limited/OU=Sage/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network/CN=test.sagepay.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGezCCBWOgAwIBAgIQYBuEUnm2OLRLJ8mztoWq7DANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTEwMjAxMDAwMDAwWhcNMTMwMTMxMjM1OTU5WjCCAVQxEzARBgsrBgEEAYI3
PAIBAxMCR0IxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMREwDwYDVQQF
EwgwMTA0NTk2NzELMAkGA1UEBhMCR0IxFjAUBgNVBAgUDVRZTkUgQU5EIFdFQVIx
HDAaBgNVBAcUE05ld2Nhc3RsZSBVcG9uIFR5bmUxGjAYBgNVBAoUEVNhZ2UgKFVL
KSBMaW1pdGVkMQ0wCwYDVQQLFARTYWdlMTUwMwYDVQQLFCxUZXJtcyBvZiB1c2Ug
YXQgd3d3LnZlcmlzaWduLmNvLnVrL3JwYSAoYykwNTEiMCAGA1UECxMZQXV0aGVu
dGljYXRlZCBieSBWZXJpU2lnbjEnMCUGA1UECxMeTWVtYmVyLCBWZXJpU2lnbiBU
cnVzdCBOZXR3b3JrMRkwFwYDVQQDFBB0ZXN0LnNhZ2VwYXkuY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnXwhWyavqxapMnGLEu4ZYKfNvMxymqEj
vjIS4LKJqwebkW7WgmpJNO5lJVwBN/Ks+R1Zlap9jF7Zq6UwNytPb/k9vO/WYyKB
e3exKQcE5yRTRIS8mLWVdM1m02F1I6HCmNFNVWUb3LcI973LqqFwHzBFyZBTez/C
Nhdhmfnl/JRmRtsYMGnlVG6ssnafRENj9oL54adtOtHgqFlpkpDoO6oC6zegZLkz
q+dF+CX5HXj1DVby6ky0lUA2xexY5jtg+3HN+b1PRXVQoPH+8azUFiKCWOOPy9iw
qb8hUBoeJf5jf1vtZlFB0Goy8xjj7sdAqrfxRDkZFHqpTQSxtZMUdwIDAQABo4IB
2jCCAdYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwRAYDVR0gBD0wOzA5BgtghkgB
hvhFAQcXBjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20v
Y3BzMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9FVkludGwtY3JsLnZlcmlzaWdu
LmNvbS9FVkludGwyMDA2LmNybDA0BgNVHSUELTArBggrBgEFBQcDAQYIKwYBBQUH
AwIGCWCGSAGG+EIEAQYKKwYBBAGCNwoDAzAfBgNVHSMEGDAWgBROQ8gddu83U3pP
8lhvlPM44tW93zBvBggrBgEFBQcBAQRjMGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9v
Y3NwLnZlcmlzaWduLmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL0VWSW50bC1haWEu
dmVyaXNpZ24uY29tL0VWSW50bDIwMDYuY2VyMG4GCCsGAQUFBwEMBGIwYKFeoFww
WjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4mymsSweL
IQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjANBgkq
hkiG9w0BAQUFAAOCAQEABJKpfAcnGbKIgEQM6oVdKtIs2polpsI3NF6r4BYdkX6m
HMlv3HN4mtQoGB+0ygqL/pEaAKWoCvfgzhXP9MJwYEfKyDE1Y33k9FvVAUAMsJxq
W3cL8sQsEbN6DHlF3U0b5Aj+AfySYIqJoxBi9alrZqMPYW+4EiUvu/xU7ne78Czy
KW55zto8x8xbPrsZ3MJ8+6YSekAnRKHvNE5siPJ8br2GbHAUA58PHr+9Yq5lSoEZ
yDJsDbFPHlZkYKkcmfxK1odyIGJXBLMk8yf9z2Ic5swZFAmdlWH9IRRGvqTFvXdN
oUhDUrNWf3giaiF43kyijvBzaeYhW8TPo29x5GoVWQ==
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private Organization/serialNumber=01045967/C=GB/ST=TYNE AND WEAR/L=Newcastle Upon Tyne/O=Sage (UK) Limited/OU=Sage/OU=Terms of use at www.verisign.co.uk/rpa (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust Network/CN=test.sagepay.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 4709 bytes and written 558 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-MD5
    Session-ID: 22060000FA7F82875765F721E58E9ACB64969C3EB3ACDD9297BA42F6F06D1273
    Session-ID-ctx:
    Master-Key: EE3A2E901870BF223DF78CF8F942B9782ECDABF0FA2040A8D10D99DFD0389A88137FC848F03802A5FEC2CA95E70D7704
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1345115877
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1014640

Title:
  12.04/openssl refusing some verisign certified sites

Status in “openssl” package in Ubuntu:
  New

Bug description:
  After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
  On 10.04,
  curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
  works fine, on 12.04 it says:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

  This happens on some very well know bank sites , another example is https://postfinance.ch.
  Hence I think

  Analysis:
  - test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
  - curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
  - Calling ssl directly:
  openssl s_client -host cs.directnet.com -port 443
   says "self signed certificate in certificate chain", and the chain shown is:

  Certificate chain
   0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

  Now there are lots of certificates in /usr/share/ca-
  certificates/mozilla (148 of them, there were 123 in Lucid 10.04).

  Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
  Since this affects well know sites it would seems to be quite an important issue?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640/+subscriptions

More information about the foundations-bugs mailing list