[Pkg-openssl-devel] Bug#812873: Bug#812873: libssl1.0.0: Server certificate verification fails

[Kurt Roeckx]

On Wed, Jan 27, 2016 at 03:44:43PM +0200, Antti Salmela wrote:
> Package: libssl1.0.0
> Version: 1.0.1k-3+deb8u2
> Severity: normal
> 
> Dear Maintainer,
> 
> openssl in jessie fails to verify certificate of server, while versions from squeeze, wheezy and
> stretch work:

It fails just as well with wheezy and squeeze for me.  (It does
work in stretch.)

> as at jessie:~$ openssl s_client -CApath /etc/ssl/certs -connect ohjelmat.posti.fi:443
> CONNECTED(00000003)
> depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
>  0 s:/C=FI/ST=Etela-Suomen laani/L=Helsinki/O=Itella Oyj/OU=Web Administration/CN=ohjelmat.posti.fi
>    i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
>  1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
>    i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
>  2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
>    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com

The server is not sending the complete chain, it's misconfigured.
The last certificate it sends in the chain is not the root CA, and
the issuer of that certificate isn't trusted either.  It should
either send the correct root CA, or drop that last CA it sends.

It's also a totally insecure website.


Kurt