[Pkg-openssl-devel] Bug#622679: libssl1.0.0: certificate verification fails for about every server

Sven Joachim svenjoac at gmx.de
Wed Apr 13 19:09:53 UTC 2011 

Package: libssl1.0.0
Version: 1.0.0d-1
Severity: important

It seems all the certificates in /etc/ssl/certs have become pretty much
useless now, because just about every connection fails either with error
20 (unable to get local issuer certificate) or error 19 (self signed
certificate in certificate chain), like this:

,----
| $ openssl s_client -CApath /etc/ssl/certs/ -connect bugs.freedesktop.org:443
| CONNECTED(00000003)
| depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
| verify error:num=20:unable to get local issuer certificate
| [...]
| $ openssl s_client -CApath /etc/ssl/certs/ -connect alioth.debian.org:443
| CONNECTED(00000003)
| depth=2 C = US, ST = Indiana, L = Indianapolis, O = Software in the Public Interest, OU = hostmaster, CN = Certificate Authority, emailAddress = hostmaster at spi-inc.org
| verify error:num=19:self signed certificate in certificate chain
| [...]
`----

This broke my mail setup after today's binNMU of postfix which could not
set up a verified connection to the relay host:

,----
| Apr 13 16:22:53 turtle postfix/smtp[1972]: setting up TLS connection to mail.gmx.net[213.165.64.21]:587
| Apr 13 16:22:53 turtle postfix/smtp[1972]: certificate verification
| failed for mail.gmx.net[213.165.64.21]:587: untrusted issuer
| /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
| cc/OU=Certification Services Division/CN=Thawte Premium Server
| CA/emailAddress=premium-server at thawte.com
| Apr 13 16:22:53 turtle postfix/smtp[1972]: Untrusted TLS connection
| established to mail.gmx.net[213.165.64.21]:587: TLSv1 with cipher
| DHE-RSA-AES256-SHA (256/256 bits)
| Apr 13 16:22:53 turtle postfix/smtp[1972]: 88EFF3F328: Server certificate not trusted
| Apr 13 16:22:53 turtle postfix/smtp[1972]: setting up TLS connection to mail.gmx.net[213.165.64.20]:587
| Apr 13 16:22:53 turtle postfix/smtp[1972]: certificate verification
| failed for mail.gmx.net[213.165.64.20]:587: untrusted issuer
| /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
| cc/OU=Certification Services Division/CN=Thawte Premium Server
| CA/emailAddress=premium-server at thawte.com
| Apr 13 16:22:53 turtle postfix/smtp[1972]: Untrusted TLS connection
| established to mail.gmx.net[213.165.64.20]:587: TLSv1 with cipher
| DHE-RSA-AES256-SHA (256/256 bits)
| Apr 13 16:22:53 turtle postfix/smtp[1972]: 88EFF3F328:
| to=<620138 at bugs.debian.org>, relay=mail.gmx.net[213.165.64.20]:587,
| delay=2.4, delays=0.3/0.87/1.2/0, dsn=4.7.5, status=deferred (Server
| certificate not trusted)
`----

Downgrading postfix to 2.8.2-1 "fixed" this.  Needless to say, the
openssl version in Squeeze shows no errors in the above examples either.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.39-rc3-nouveau (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]   1.5.38           Debian configuration management sy
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information:
  libssl1.0.0/restart-failed:
  libssl1.0.0/restart-services:

More information about the Pkg-openssl-devel mailing list