[Pkg-openssl-devel] Bug#812873: libssl1.0.0: Server certificate verification fails

Antti Salmela asalmela at iki.fi
Wed Jan 27 13:44:43 UTC 2016 

Package: libssl1.0.0
Version: 1.0.1k-3+deb8u2
Severity: normal

Dear Maintainer,

openssl in jessie fails to verify certificate of server, while versions from squeeze, wheezy and
stretch work:

as at jessie:~$ openssl s_client -CApath /etc/ssl/certs -connect ohjelmat.posti.fi:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=FI/ST=Etela-Suomen laani/L=Helsinki/O=Itella Oyj/OU=Web Administration/CN=ohjelmat.posti.fi
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvDCCA6SgAwIBAgIQY61tuJme9u+ZSSZ9WpUZQzANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTE0MDMwMTAwMDAwMFoXDTE2MDQyOTIzNTk1OVowgYsx
CzAJBgNVBAYTAkZJMRswGQYDVQQIExJFdGVsYS1TdW9tZW4gbGFhbmkxETAPBgNV
BAcUCEhlbHNpbmtpMRMwEQYDVQQKFApJdGVsbGEgT3lqMRswGQYDVQQLFBJXZWIg
QWRtaW5pc3RyYXRpb24xGjAYBgNVBAMUEW9oamVsbWF0LnBvc3RpLmZpMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA21I33Kcnn4NM32IAJh+hGpJtKDBI
6gahx3UxZbntLz60eW6T6HQk1Y/AoFUooVIyTI4D5FlteP79se43GtaktSMy+BPE
fpmiUZhmeYLXkoSG88fDJ6H7cvOdMKrm4QDgVGM2BxNMi0YbYAJTbU2/OxIEII0H
nmec12mecCw2/nNyj873ezLJaDt6fNNOYhdkjy2HgOameraUPnXVVFT7bbzLRGge
Xu+I8F/iGaOk07lHmZ5aeXGcXMetR5wPveE6+xnrn/w0SH2pNp2F4UPrpm8+UyWn
bjFSQPIDxL60wtgGDwb1Sp6/rRsRvjhBNXGZcneTtC3G89vgtuCPWlJHIQIDAQAB
o4IBaDCCAWQwHAYDVR0RBBUwE4IRb2hqZWxtYXQucG9zdGkuZmkwCQYDVR0TBAIw
ADBCBgNVHSAEOzA5MDcGCmCGSAGG+EUBBzYwKTAnBggrBgEFBQcCARYbaHR0cHM6
Ly93d3cudGhhd3RlLmNvbS9jcHMvMA4GA1UdDwEB/wQEAwIFoDAfBgNVHSMEGDAW
gBSnooO7NEVAPfzVME8SuT6hAZ/22zA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8v
c3ZyLW92LWNybC50aGF3dGUuY29tL1RoYXd0ZU9WLmNybDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwaQYIKwYBBQUHAQEEXTBbMCIGCCsGAQUFBzABhhZo
dHRwOi8vb2NzcC50aGF3dGUuY29tMDUGCCsGAQUFBzAChilodHRwOi8vc3ZyLW92
LWFpYS50aGF3dGUuY29tL1RoYXd0ZU9WLmNlcjANBgkqhkiG9w0BAQUFAAOCAQEA
CHLHwGsRUWFAFDvQU2mABll+n9C54x/Me6/FPGxf5A4oF4EcC7WH5b5XugVrw0D7
OnpQ/ixqpCMWU22Mv7MMvU85UCeuWOYmbT8bZ5atvZwgqGXfl1y+aH2vtlMLtc6R
LWqdTgWRtTDBwnp0oHaXgR0fRMIEtpk1SFRcxZPaG3F7fsVBZBvgvmg7ruab07ST
Iq1JOVw1QgnP5bs0CqaL+qnbT2rs4NiL7EzVi8ZtFSssi/4D8bj/b2umryf/ZEg6
gYr5n3tTaVND6cXJi9SAPGuSvEKEm9t7trbjiInTCkuXXdt+OURvO0Z5AGxEC3aO
3xZfqt5mqyF3Uwt/oCrUsA==
-----END CERTIFICATE-----
subject=/C=FI/ST=Etela-Suomen laani/L=Helsinki/O=Itella Oyj/OU=Web Administration/CN=ohjelmat.posti.fi
issuer=/C=US/O=Thawte, Inc./CN=Thawte SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 4333 bytes and written 493 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: BD155C696B0DC76FBA2DE718DF4A2467F695324777CDD7F85AC5C16F1EE10D10
    Session-ID-ctx: 
    Master-Key: FBB974115C1116B15E147A8627C707406DA7A115214ACBB100C38A2F4B913133314601A6A0ADC10C1A1397AAF634F7EC
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 4f ba 0d 4c f2 e5 35 4f-43 4b 4c f2 a8 42 cc da   O..L..5OCKL..B..
    0010 - 5b 46 ef c5 82 1d 34 cd-9a bd f6 f5 5e 9b 96 0a   [F....4.....^...
    0020 - 92 fe 03 02 39 cd 33 fd-41 02 f5 36 47 9d 79 99   ....9.3.A..6G.y.
    0030 - 3f 61 be 9b be 25 02 45-a9 f2 14 cd 72 a9 96 f5   ?a...%.E....r...
    0040 - a6 fe 23 ca f9 dc 36 a9-8d a1 41 bc a2 ab e1 8f   ..#...6...A.....
    0050 - 0a 56 98 f9 77 3d b0 4a-3e f8 ee b3 45 fb 24 60   .V..w=.J>...E.$`
    0060 - 30 5d a5 62 a6 30 cf 5e-e8 af 2b 44 b7 cd 25 43   0].b.0.^..+D..%C
    0070 - 00 81 90 3b e4 e0 ac 43-1d 5f 0f 91 ce f6 a3 ec   ...;...C._......
    0080 - 0d 3f 8e c5 14 30 d9 72-af 32 8b 68 81 29 a8 bd   .?...0.r.2.h.)..
    0090 - c6 ae 74 98 3f ba e3 14-1b 2c b5 53 ee a1 ae 33   ..t.?....,.S...3
    00a0 - fe 60 42 08 8f 43 95 fd-c4 93 fd 93 16 4a 7c 72   .`B..C.......J|r
    00b0 - c8 29 84 6b 82 9f 75 db-d5 90 43 e4 b1 57 62 a1   .).k..u...C..Wb.

    Start Time: 1453901893
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---



-- System Information:
Debian Release: 8.3
  APT prefers stable
  APT policy: (900, 'stable'), (890, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libssl1.0.0 depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  libc6                  2.19-18+deb8u2
ii  multiarch-support      2.19-18+deb8u2

libssl1.0.0 recommends no packages.

libssl1.0.0 suggests no packages.

-- debconf information excluded

More information about the Pkg-openssl-devel mailing list