2012-06-18 13:00:19 |
SeanBoran |
bug |
|
|
added bug |
2012-08-09 19:11:15 |
Nick Messick |
bug |
|
|
added subscriber Nick Messick |
2013-03-28 11:55:15 |
Kevin Pattison |
information type |
Public |
Public Security |
|
2013-03-28 11:55:32 |
Kevin Pattison |
bug |
|
|
added subscriber Kevin Pattison |
2013-03-28 11:56:47 |
Launchpad Janitor |
openssl (Ubuntu): status |
New |
Confirmed |
|
2013-05-10 11:41:28 |
Duncan Barclay |
bug |
|
|
added subscriber Duncan Barclay |
2013-07-18 11:56:39 |
Wilken Haase |
bug |
|
|
added subscriber Wilken Haase |
2013-07-18 14:07:35 |
Marc Deslauriers |
bug watch added |
|
http://rt.openssl.org/Ticket/Display.html?id=2732 |
|
2013-07-18 14:07:35 |
Marc Deslauriers |
bug task added |
|
openssl |
|
2013-07-18 14:31:13 |
Bug Watch Updater |
openssl: status |
Unknown |
Confirmed |
|
2013-07-24 06:41:49 |
SeanBoran |
description |
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
On 10.04,
curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
works fine, on 12.04 it says:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This happens on some very well know bank sites , another example is https://postfinance.ch.
Hence I think
Analysis:
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue? |
Summary: SSL refuses to work with some sites on both 12.04 and 13.04, for fresh and updated installations. No known workarounds, although running c_rehash may help in some scenarios.
Original post:
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
On 10.04,
curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
works fine, on 12.04 it says:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This happens on some very well know bank sites , another example is https://postfinance.ch.
Hence I think
Analysis:
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue? |
|
2013-08-21 06:49:53 |
SeanBoran |
description |
Summary: SSL refuses to work with some sites on both 12.04 and 13.04, for fresh and updated installations. No known workarounds, although running c_rehash may help in some scenarios.
Original post:
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
On 10.04,
curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
works fine, on 12.04 it says:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This happens on some very well know bank sites , another example is https://postfinance.ch.
Hence I think
Analysis:
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue? |
Summary: SSL refuses to work with some https sites on both 12.04, 13.04, 13.10, for fresh and updated installations. It is an issue with OpenSSL's handling of certificates..
Fix: none yet, Openssl needs to be fixed upstream. http://rt.openssl.org/Ticket/Display.html?id=2732
WORKAROUND:
1) Copy the Root CA from Symantec's website https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1556
2) Paste the contents into a file under "/usr/local/share/ca-certificates/" and Update:
$ sudo vi /usr/local/share/ca-certificates/<anyname>.crt
$ sudo update-ca-certificates
# You should see output similar to this:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
---- Original post ----
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
On 10.04,
curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
works fine, on 12.04 it says:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This happens on some very well know bank sites , another example is https://postfinance.ch.
Hence I think
Analysis:
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue? |
|
2013-11-14 19:36:46 |
A. Lot |
bug |
|
|
added subscriber A. Lot |
2013-12-05 13:12:14 |
Marc Deslauriers |
bug task added |
|
ca-certificates (Ubuntu) |
|
2013-12-05 13:28:33 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-proposed/ca-certificates |
|
2013-12-05 13:48:14 |
Launchpad Janitor |
ca-certificates (Ubuntu): status |
New |
Fix Released |
|
2014-02-07 13:34:20 |
Louis Bouchard |
openssl (Ubuntu): status |
Confirmed |
Invalid |
|
2014-02-15 18:26:02 |
SeanBoran |
description |
Summary: SSL refuses to work with some https sites on both 12.04, 13.04, 13.10, for fresh and updated installations. It is an issue with OpenSSL's handling of certificates..
Fix: none yet, Openssl needs to be fixed upstream. http://rt.openssl.org/Ticket/Display.html?id=2732
WORKAROUND:
1) Copy the Root CA from Symantec's website https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1556
2) Paste the contents into a file under "/usr/local/share/ca-certificates/" and Update:
$ sudo vi /usr/local/share/ca-certificates/<anyname>.crt
$ sudo update-ca-certificates
# You should see output similar to this:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
---- Original post ----
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
On 10.04,
curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
works fine, on 12.04 it says:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This happens on some very well know bank sites , another example is https://postfinance.ch.
Hence I think
Analysis:
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue? |
Summary: SSL refuses to work with some https sites on both 12.04, 13.04, 13.10, for fresh and updated installations. It is an issue with OpenSSL's handling of certificates..
FIX:
Fixed in Ubuntu 14.04 apparently.
Openssl upstream, see http://rt.openssl.org/Ticket/Display.html?id=2732
WORKAROUND:
1) Copy the Root CA from Symantec's website https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR1556
2) Paste the contents into a file under "/usr/local/share/ca-certificates/" and Update:
$ sudo vi /usr/local/share/ca-certificates/<anyname>.crt
$ sudo update-ca-certificates
# You should see output similar to this:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.
---- Original post ----
After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites.
On 10.04,
curl -v https://cs.directnet.com/dn/c/cls/auth?language=de
works fine, on 12.04 it says:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This happens on some very well know bank sites , another example is https://postfinance.ch.
Hence I think
Analysis:
- test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation
- curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
- Calling ssl directly:
openssl s_client -host cs.directnet.com -port 443
says "self signed certificate in certificate chain", and the chain shown is:
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04).
Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs.
Since this affects well know sites it would seems to be quite an important issue? |
|
2014-03-05 13:32:47 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/lucid/ca-certificates/lucid-proposed |
|
2014-03-05 13:33:06 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-branches/ubuntu/precise/ca-certificates/precise-proposed |
|
2014-03-05 13:33:22 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/quantal-proposed/ca-certificates |
|
2014-03-05 13:33:33 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/saucy-proposed/ca-certificates |
|