[Bug 1014640] Re: 12.04/openssl refusing some verisign certified sites

Marc Deslauriers marc.deslauriers at canonical.com
Tue Aug 13 12:16:08 UTC 2013 

There seems to be a mismatch between the "VeriSign Class 3 Public
Primary Certification Authority - G5" cert that is in Ubuntu, and the
one that is at the end of the cert chain returned by www.postfinance.ch:

In Ubuntu:

VeriSign Class 3 Public Primary Certification Authority - G5
Serial Number: 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Validity Not Before: Nov  8 00:00:00 2006 GMT
         Not After : Jul 16 23:59:59 2036 GMT

www.postfinance.ch returns:


VeriSign Class 3 Public Primary Certification Authority - G5
Serial Number: 57:bf:fb:03:fb:2c:46:d4:e1:9e:ce:e0:d7:43:7f:13
Validity Not Before: Wed Nov 08 00:00:00 UTC 2006
         Not After: Sun Nov 07 23:59:59 UTC 2021

This results in openssl not being able to validate the chain.
In theory, openssl should discover that the second to last cert in the postfinance.ch chain can be validated with the CA in Ubuntu like NSS and gnutls do, but it doesn't. See upstream openssl bug.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/1014640

Title:
  12.04/openssl refusing some verisign certified sites

Status in OpenSSL cryptography and SSL/TLS toolkit:
  Confirmed
Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Summary: SSL refuses to work with some sites on both 12.04 and 13.04,
  for fresh and updated installations. No known workarounds, although
  running c_rehash may help in some scenarios.

  Original post:
  After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
  On 10.04,
  curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
  works fine, on 12.04 it says:
  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

  This happens on some very well know bank sites , another example is https://postfinance.ch.
  Hence I think

  Analysis:
  - test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
  - curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
  - Calling ssl directly:
  openssl s_client -host cs.directnet.com -port 443
   says "self signed certificate in certificate chain", and the chain shown is:

  Certificate chain
   0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
   1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
     i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
   3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
     i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

  Now there are lots of certificates in /usr/share/ca-
  certificates/mozilla (148 of them, there were 123 in Lucid 10.04).

  Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
  Since this affects well know sites it would seems to be quite an important issue?

To manage notifications about this bug go to:
https://bugs.launchpad.net/openssl/+bug/1014640/+subscriptions

More information about the foundations-bugs mailing list