[Pkg-openssl-devel] Bug#812873: Bug#812873: libssl1.0.0: Server certificate verification fails
Kurt Roeckx
kurt at roeckx.be
Wed Jan 27 18:03:20 UTC 2016
On Wed, Jan 27, 2016 at 03:44:43PM +0200, Antti Salmela wrote:
> Package: libssl1.0.0
> Version: 1.0.1k-3+deb8u2
> Severity: normal
>
> Dear Maintainer,
>
> openssl in jessie fails to verify certificate of server, while versions from squeeze, wheezy and
> stretch work:
It fails just as well with wheezy and squeeze for me. (It does
work in stretch.)
> as at jessie:~$ openssl s_client -CApath /etc/ssl/certs -connect ohjelmat.posti.fi:443
> CONNECTED(00000003)
> depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/C=FI/ST=Etela-Suomen laani/L=Helsinki/O=Itella Oyj/OU=Web Administration/CN=ohjelmat.posti.fi
> i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
The server is not sending the complete chain, it's misconfigured.
The last certificate it sends in the chain is not the root CA, and
the issuer of that certificate isn't trusted either. It should
either send the correct root CA, or drop that last CA it sends.
It's also a totally insecure website.
Kurt
More information about the Pkg-openssl-devel
mailing list