[Pkg-openssl-devel] Bug#812873: Bug#812873: libssl1.0.0: Server certificate verification fails
Kurt Roeckx
kurt at roeckx.be
Thu Jan 28 17:48:20 UTC 2016
On Thu, Jan 28, 2016 at 02:25:28PM +0200, Antti Salmela wrote:
> On Wed, Jan 27, 2016 at 07:03:20PM +0100, Kurt Roeckx wrote:
> > On Wed, Jan 27, 2016 at 03:44:43PM +0200, Antti Salmela wrote:
> > > Package: libssl1.0.0
> > > Version: 1.0.1k-3+deb8u2
> > > Severity: normal
> > >
> > > Dear Maintainer,
> > >
> > > openssl in jessie fails to verify certificate of server, while versions from squeeze, wheezy and
> > > stretch work:
> >
> > It fails just as well with wheezy and squeeze for me. (It does
> > work in stretch.)
>
> Okay, thanks. Qualys SSL test lead me to believe that this was not really a
> certificate chain / verification problem:
>
> https://www.ssllabs.com/ssltest/analyze.html?d=ohjelmat.posti.fi&latest
>
> But after I upgraded ca-certificates to version from jessie in my wheezy
> host, it started to fail there too.
>
> To find out why it works on stretch, I first upgraded ca-certificates to
> 20160104 on a jessie host, no changes. Upgraded openssl to 1.0.2e-1, and
> it works again. So somehow newer openssl can verify the chain.
Yes, I forgot to mention this part. It's a change later versions
of OpenSSL 1.0.1 and 1.0.2. You'll get the old behaviour when
using the -no_alt_chains option to s_client.
Kurt
More information about the Pkg-openssl-devel
mailing list