Ubuntu
ca-certificates package

Alternative chain verification failure after 1024b root CAs removal

Bug #1551615 reported by Christian Beer
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
ca-certificates (Debian)
Fix Released
Unknown
ca-certificates (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

There is now the same problem on Ubuntu 14.04 as there is currently on Debian 7.

See:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812708
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812488

Gist:
Openssl 1.0.1f can not verify certificates that have an alternative chain without both root certificates present. The update 20160104ubuntu0.14.04.1 removes 1024bit certificates that are used within those chains.

Please don't push this update to vivid too!

Bug Watch Updater (bug-watch-updater)
Changed in ca-certificates (Debian):
status: Unknown → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We released updated openssl packages to handle that case:

http://www.ubuntu.com/usn/usn-2913-3/

What version of openssl do you have installed?
What specific site are you unable to access?

Changed in ca-certificates (Ubuntu):
status: New → Incomplete
Revision history for this message
Christian Beer (christian-beer) wrote :

I received the user report and did a quick check using a fresh installation of 14.04. I disabled updates at install because I wanted to test before and after updating ca-certificates. I then only updated ca-certificates which showed the problem (curl https://einstein.phys.uwm.edu was not working). I now updated all other packages and it is working again thanks to the openssl update.

Sorry for the noise, I had little time to test and wanted to prevent a further spreading of this issue.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Glad that it's working, thanks!

I'm closing this bug.

Changed in ca-certificates (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Marcin Juszkiewicz (hrw) wrote :
Download full text (5.8 KiB)

11:26 hrw@malenstwo:~$ LC_ALL=C wget ebank.db-pbc.pl
--2016-03-03 11:26:05-- http://ebank.db-pbc.pl/
Resolving ebank.db-pbc.pl (ebank.db-pbc.pl)... 160.83.21.131
Connecting to ebank.db-pbc.pl (ebank.db-pbc.pl)|160.83.21.131|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://ebank.db-pbc.pl/ [following]
--2016-03-03 11:26:05-- https://ebank.db-pbc.pl/
Connecting to ebank.db-pbc.pl (ebank.db-pbc.pl)|160.83.21.131|:443... connected.
ERROR: cannot verify ebank.db-pbc.pl's certificate, issued by '/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3':
  Unable to locally verify the issuer's authority.
To connect to ebank.db-pbc.pl insecurely, use `--no-check-certificate'.

11:27 hrw@malenstwo:~$ openssl s_client -connect ebank.db-pbc.pl:443
CONNECTED(00000003)
depth=0 1.3.6.1.4.1.311.60.2.1.3 = DE, 1.3.6.1.4.1.311.60.2.1.1 = Frankfurt am Main, businessCategory = Private Organization, serialNumber = HRB 30000, C = DE, postalCode = 60325, ST = Hessen, L = Frankfurt am Main, street = Taunusanlage 12, O = Deutsche Bank AG, OU = Deutsche Bank Polska S.A., CN = ebank.db-pbc.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = DE, 1.3.6.1.4.1.311.60.2.1.1 = Frankfurt am Main, businessCategory = Private Organization, serialNumber = HRB 30000, C = DE, postalCode = 60325, ST = Hessen, L = Frankfurt am Main, street = Taunusanlage 12, O = Deutsche Bank AG, OU = Deutsche Bank Polska S.A., CN = ebank.db-pbc.pl
verify error:num=27:certificate not trusted
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = DE, 1.3.6.1.4.1.311.60.2.1.1 = Frankfurt am Main, businessCategory = Private Organization, serialNumber = HRB 30000, C = DE, postalCode = 60325, ST = Hessen, L = Frankfurt am Main, street = Taunusanlage 12, O = Deutsche Bank AG, OU = Deutsche Bank Polska S.A., CN = ebank.db-pbc.pl
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=DE/1.3.6.1.4.1.311.60.2.1.1=Frankfurt am Main/businessCategory=Private Organization/serialNumber=HRB 30000/C=DE/postalCode=60325/ST=Hessen/L=Frankfurt am Main/street=Taunusanlage 12/O=Deutsche Bank AG/OU=Deutsche Bank Polska S.A./CN=ebank.db-pbc.pl
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGnzCCBYegAwIBAgIQCgL39ODgr/z37hJt0dYGxzANBgkqhkiG9w0BAQsFADB3
MQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAd
BgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxKDAmBgNVBAMTH1N5bWFudGVj
IENsYXNzIDMgRVYgU1NMIENBIC0gRzMwHhcNMTYwMjA5MDAwMDAwWhcNMTcwMzEx
MjM1OTU5WjCCASkxEzARBgsrBgEEAYI3PAIBAxMCREUxIjAgBgsrBgEEAYI3PAIB
AQwRRnJhbmtmdXJ0IGFtIE1haW4xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0
aW9uMRIwEAYDVQQFEwlIUkIgMzAwMDAxCzAJBgNVBAYTAkRFMQ4wDAYDVQQRDAU2
MDMyNTEPMA0GA1UECAwGSGVzc2VuMRowGAYDVQQHDBFGcmFua2Z1cnQgYW0gTWFp
bjEYMBYGA1UECQwPVGF1bnVzYW5sYWdlIDEyMRkwFwYDVQQKDBBEZXV0c2NoZSBC
YW5rIEFHMSIwIAYDVQQLDBlEZXV0c2NoZSBCYW5rIFBvbHNrYSBTLkEuMRgwFgYD
VQQDDA9lYmFuay5kYi1wYmMucGwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDJCHDXbNXF8o2m0YNzodlpra30iPihW...

Read more...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Marcin,

It looks like your bank renewed their SSL cert on Feb 9th, and they forgot to include the intermediate certificate.

This is a configuration problem on their end and has nothing to do with Ubuntu updates.

Tell them to go to the following page and type in ebank.db-pbc.pl for more information :

https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Marcin, thanks for the report, and thanks for LANG=C, that's a serious help :)

Note that openssl s_client requires also giving a path to the CA root store to use, e.g.:
openssl s_client -connect ebank.db-pbc.pl:443 -CApath /etc/ssl/certs/

It doesn't change this issue but may be useful for the future.

Another URL for your bank's support staff:
https://www.ssllabs.com/ssltest/analyze.html?d=ebank.db-pbc.pl

Thanks

Bug Watch Updater (bug-watch-updater)
Changed in ca-certificates (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.