[Pkg-openssl-devel] Bug#812873: Bug#812873: libssl1.0.0: Server certificate verification fails

Antti Salmela asalmela at iki.fi
Thu Jan 28 12:25:28 UTC 2016 

On Wed, Jan 27, 2016 at 07:03:20PM +0100, Kurt Roeckx wrote:
> On Wed, Jan 27, 2016 at 03:44:43PM +0200, Antti Salmela wrote:
> > Package: libssl1.0.0
> > Version: 1.0.1k-3+deb8u2
> > Severity: normal
> > 
> > Dear Maintainer,
> > 
> > openssl in jessie fails to verify certificate of server, while versions from squeeze, wheezy and
> > stretch work:
> 
> It fails just as well with wheezy and squeeze for me.  (It does
> work in stretch.)

Okay, thanks. Qualys SSL test lead me to believe that this was not really a
certificate chain  / verification problem:

https://www.ssllabs.com/ssltest/analyze.html?d=ohjelmat.posti.fi&latest

But after I upgraded ca-certificates to version from jessie in my wheezy
host, it started to fail there too.

To find out why it works on stretch, I first upgraded ca-certificates to
20160104 on a jessie host, no changes. Upgraded openssl to 1.0.2e-1, and
it works again. So somehow newer openssl can verify the chain.

Tried openssl 1.0.1e from Centos/RHEL 7 with ca-certificates.crt from jessie,
that fails too - so no already backported fixes from that way.

> 
> > as at jessie:~$ openssl s_client -CApath /etc/ssl/certs -connect ohjelmat.posti.fi:443
> > CONNECTED(00000003)
> > depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
> > verify error:num=20:unable to get local issuer certificate
> > verify return:0
> > ---
> > Certificate chain
> >  0 s:/C=FI/ST=Etela-Suomen laani/L=Helsinki/O=Itella Oyj/OU=Web Administration/CN=ohjelmat.posti.fi
> >    i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> >  1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
> >    i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> >  2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> >    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server at thawte.com
> 
> The server is not sending the complete chain, it's misconfigured.
> The last certificate it sends in the chain is not the root CA, and
> the issuer of that certificate isn't trusted either.  It should
> either send the correct root CA, or drop that last CA it sends.

It's an api endpoint of the Finnish Post Office, AFAIK not used with
web browsers at all. At least they have to renew the certificate in April.

> It's also a totally insecure website.

No disagreement on that.

-- 
Antti Salmela

More information about the Pkg-openssl-devel mailing list