https://bugzilla.novell.com/show_bug.cgi?id=854163 https://bugzilla.novell.com/show_bug.cgi?id=854163#c0 Summary: Verisign_Class_3_Public_Primary_Certification_Authorit y.1.pem missing from ca-certificates-mozilla Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86 OS/Version: openSUSE 13.1 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: oscar@naiandei.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0 After upgrade to Opensuse 13.1, when curl tries to fetch a SSL website (https://www.caixaguissona.com, for example) fail because Verisign_Class_3_Public_Primary_Certification_Authority.1.pem is missing from package "ca-certificates-mozilla". In Opensuse 12.3 the package "ca-certificates-mozilla" had these two files: /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.1.pem /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.pem Whereas in Opensuse 13.1 I only see one of them: /usr/share/pki/trust/Verisign_Class_3_Public_Primary_Certification_Authority.pem Reproducible: Always Steps to Reproduce: 1. curl -v --head https://www.caixaguissona.com 2. curl RC=60: SSL certificate problem: unable to get local issuer certificate Actual Results: oscar@hedera:~> curl -v --head https://www.caixaguissona.com * Rebuilt URL to: https://www.caixaguissona.com/ * Adding handle: conn: 0x8085ee8 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x8085ee8) send_pipe: 1, recv_pipe: 0 * About to connect() to www.caixaguissona.com port 443 (#0) * Trying 195.77.119.3... * Connected to www.caixaguissona.com (195.77.119.3) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Expected Results: ocurero@corp1:~> curl -v --head https://www.caixaguissona.com * About to connect() to www.caixaguissona.com port 443 (#0) * Trying 195.77.119.3... * connected * Connected to www.caixaguissona.com (195.77.119.3) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DES-CBC3-SHA * Server certificate: * subject: 1.3.6.1.4.1.311.60.2.1.3=ES; businessCategory=Private Organization; serialNumber=F25014754; C=ES; ST=Lleida; L=GUISSONA; O=CAJA RURAL DE GUISSONA SOCIEDAD COOPERATIVA DE CREDITO; OU=INFORMATICA; OU=Terms of use at www.verisign.com/rpa (c)05; CN=www.caixaguissona.com * start date: 2013-12-04 00:00:00 GMT * expire date: 2016-02-02 23:59:59 GMT * subjectAltName: www.caixaguissona.com matched * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL SGC CA * SSL certificate verify ok. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.