VeriSign's Class 3 Public Primary Certification Authority OLD ROOT certificate is missed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ca-certificates (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
According to the memo from VeriSign ( https:/
However, this OLD ROOT certificate ( Serial Number 70:ba:e4:
curl -Iv https:/
reports invalid certificate in Precise while successfully do connection in Lucid.
Perhaps all other old root certificates from VeriSign also are missed.
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.2 LTS
Release: 12.04
Codename: precise
$ curl -Iv https:/
* About to connect() to authentication.
* Trying 210.193.176.72... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:
More details here: http://
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 10.04.4 LTS
Release: 10.04
Codename: lucid
# curl -Iv https:/
* About to connect() to authentication.
* Trying 210.193.176.72... connected
* Connected to authentication.
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: 1.3.6.1.
* start date: 2012-05-20 00:00:00 GMT
* expire date: 2014-06-06 23:59:59 GMT
* subjectAltName: authentication.
* issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https:/
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (i486-pc-linux-gnu) libcurl/7.19.7 OpenSSL/0.9.8k zlib/1.2.3.3 libidn/1.15
> Host: authentication.
> Accept: */*
>
< HTTP/1.1 302 Redirect
HTTP/1.1 302 Redirect
< Content-Length: 154
Content-Length: 154
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Location: http://
Location: http://
< Server: Microsoft-IIS/7.5
Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
X-Powered-By: ASP.NET
< Date: Wed, 08 May 2013 01:36:30 GMT
Date: Wed, 08 May 2013 01:36:30 GMT
<
* Connection #0 to host authentication.
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
VeriSign's OLD ROOT Certificate can be obtained on this page:
https:/ /knowledge. verisign. com/support/ ssl-certificate s-support/ index?page= content& id=AR1556& actp=search& viewlocale= en_US&searchid= 1368166057387