Ubuntu
ca-certificates package

VeriSign's Class 3 Public Primary Certification Authority OLD ROOT certificate is missed

Bug #1177634 reported by Maxime
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
New
Undecided
Unassigned

Bug Description

According to the memo from VeriSign ( https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AD146&actp=LIST ) the certificates signed with Class 3 Public Primary Certification Authority OLD ROOT should be accepted until they are renewed or replaced.

However, this OLD ROOT certificate ( Serial Number 70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf ) is missed in Precise (but it's present in Lucid) so the command

curl -Iv https://authentication.business.gov.au/

reports invalid certificate in Precise while successfully do connection in Lucid.

Perhaps all other old root certificates from VeriSign also are missed.

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise
$ curl -Iv https://authentication.business.gov.au/
* About to connect() to authentication.business.gov.au port 443 (#0)
* Trying 210.193.176.72... connected
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.4 LTS
Release: 10.04
Codename: lucid
# curl -Iv https://authentication.business.gov.au/
* About to connect() to authentication.business.gov.au port 443 (#0)
* Trying 210.193.176.72... connected
* Connected to authentication.business.gov.au (210.193.176.72) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: 1.3.6.1.4.1.311.60.2.1.3=AU; 2.5.4.15=Government Entity; serialNumber=74 599 608 295; C=AU; postalCode=2601; ST=Australian Capital Territory; L=Canberra; streetAddress=10 Binara Street; O=Department of Innovation Industry Science and Research; OU=VANguard
* start date: 2012-05-20 00:00:00 GMT
* expire date: 2014-06-06 23:59:59 GMT
* subjectAltName: authentication.business.gov.au matched
* issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL SGC CA
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: authentication.business.gov.au
> Accept: */*
>
< HTTP/1.1 302 Redirect
HTTP/1.1 302 Redirect
< Content-Length: 154
Content-Length: 154
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Location: http://vanguard.business.gov.au
Location: http://vanguard.business.gov.au
< Server: Microsoft-IIS/7.5
Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
< Date: Wed, 08 May 2013 01:36:30 GMT
Date: Wed, 08 May 2013 01:36:30 GMT

<
* Connection #0 to host authentication.business.gov.au left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Revision history for this message
Maxime (dp-maxime) wrote :

VeriSign's OLD ROOT Certificate can be obtained on this page:

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1556&actp=search&viewlocale=en_US&searchid=1368166057387

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.