After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
On 10.04,
curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
works fine, on 12.04 it says:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This happens on some very well know bank sites , another example is https://postfinance.ch.
Hence I think
Analysis:
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue?
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites. /cs.directnet. com/dn/ c/cls/auth? language= de SSL3_GET_ SERVER_ CERTIFICATE: certificate verify failed
On 10.04,
curl -v https:/
works fine, on 12.04 it says:
error:14090086:SSL routines:
This happens on some very well know bank sites , another example is https:/ /postfinance. ch.
Hence I think
Analysis: pc-linux- gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain 6.1.4.1. 311.60. 2.1.3=CH/ businessCategor y=Private Organization/ serialNumber= CH-020. 3.906.075- 9/C=CH/ postalCode= 8001/ST= Zuerich/ L=Zuerich/ street= Paradeplatz 8/O=Credit Suisse Group AG/CN=cs. directnet. com US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/ /www.verisign. com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA /www.verisign. com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
0 s:/1.3.
i:/C=
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https:/
i:/C=
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=
Now there are lots of certificates in /usr/share/ ca-certificates /mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue?