** Description changed: + Summary: SSL refuses to work with some sites on both 12.04 and 13.04, + for fresh and updated installations. No known workarounds, although + running c_rehash may help in some scenarios. + + Original post: After upgrading a 10.04 server to 12.04, SSL refuses to work with some sites. On 10.04, curl -v https://cs.directnet.com/dn/c/cls/auth?language=de works fine, on 12.04 it says: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed This happens on some very well know bank sites , another example is https://postfinance.ch. Hence I think Analysis: - test on an 10.04 upgraded to 12.04 and also a 12.04 fresh server installation - curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 - Calling ssl directly: openssl s_client -host cs.directnet.com -port 443 - says "self signed certificate in certificate chain", and the chain shown is: + says "self signed certificate in certificate chain", and the chain shown is: Certificate chain - 0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com - i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA - 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA - i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 - 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 - i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority + 0 s:/1.3.6.1.4.1.311.60.2.1.3=CH/businessCategory=Private Organization/serialNumber=CH-020.3.906.075-9/C=CH/postalCode=8001/ST=Zuerich/L=Zuerich/street=Paradeplatz 8/O=Credit Suisse Group AG/CN=cs.directnet.com + i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA + 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA + i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 + 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 + i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority + 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority + i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Now there are lots of certificates in /usr/share/ca-certificates/mozilla (148 of them, there were 123 in Lucid 10.04). Search the existing openssl/12.04 issues I came across ciper issues, but didnt' notice a bus for certs. Since this affects well know sites it would seems to be quite an important issue?
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1014640 Title: 12.04/openssl refusing some verisign certified sites To manage notifications about this bug go to: https://bugs.launchpad.net/openssl/+bug/1014640/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
