[Bug 854163] New: Verisign_Class_3_Public_Primary_Certification_Authority.1.pem missing from ca-certificates-mozilla
https://bugzilla.novell.com/show_bug.cgi?id=854163 https://bugzilla.novell.com/show_bug.cgi?id=854163#c0 Summary: Verisign_Class_3_Public_Primary_Certification_Authorit y.1.pem missing from ca-certificates-mozilla Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86 OS/Version: openSUSE 13.1 Status: NEW Severity: Major Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: oscar@naiandei.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0 After upgrade to Opensuse 13.1, when curl tries to fetch a SSL website (https://www.caixaguissona.com, for example) fail because Verisign_Class_3_Public_Primary_Certification_Authority.1.pem is missing from package "ca-certificates-mozilla". In Opensuse 12.3 the package "ca-certificates-mozilla" had these two files: /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.1.pem /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.pem Whereas in Opensuse 13.1 I only see one of them: /usr/share/pki/trust/Verisign_Class_3_Public_Primary_Certification_Authority.pem Reproducible: Always Steps to Reproduce: 1. curl -v --head https://www.caixaguissona.com 2. curl RC=60: SSL certificate problem: unable to get local issuer certificate Actual Results: oscar@hedera:~> curl -v --head https://www.caixaguissona.com * Rebuilt URL to: https://www.caixaguissona.com/ * Adding handle: conn: 0x8085ee8 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x8085ee8) send_pipe: 1, recv_pipe: 0 * About to connect() to www.caixaguissona.com port 443 (#0) * Trying 195.77.119.3... * Connected to www.caixaguissona.com (195.77.119.3) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. Expected Results: ocurero@corp1:~> curl -v --head https://www.caixaguissona.com * About to connect() to www.caixaguissona.com port 443 (#0) * Trying 195.77.119.3... * connected * Connected to www.caixaguissona.com (195.77.119.3) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DES-CBC3-SHA * Server certificate: * subject: 1.3.6.1.4.1.311.60.2.1.3=ES; businessCategory=Private Organization; serialNumber=F25014754; C=ES; ST=Lleida; L=GUISSONA; O=CAJA RURAL DE GUISSONA SOCIEDAD COOPERATIVA DE CREDITO; OU=INFORMATICA; OU=Terms of use at www.verisign.com/rpa (c)05; CN=www.caixaguissona.com * start date: 2013-12-04 00:00:00 GMT * expire date: 2016-02-02 23:59:59 GMT * subjectAltName: www.caixaguissona.com matched * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL SGC CA * SSL certificate verify ok. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c2
--- Comment #2 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c3
--- Comment #3 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c4
--- Comment #4 from Oscar Curero
Hmm, this seems incorreect, appaerently I am reading something wrong.
(Firefox is happy, which is a sign something is incorrect somewhere else)
will continue debug this later.
Marcus, I forgot to add two things: 1.- Not all sites have this problem. For example, the one you wrote (https://www.amazon.de) works fine in both versions. 2.- Copying the missing file from another machine still on 12.3 and renaming it has /etc/ssl/certs/415660c1.1 solves the problem for me: oscar@hedera:~> ls -l /etc/ssl/certs/415660c1* lrwxrwxrwx 1 root root 59 dic 6 12:29 /etc/ssl/certs/415660c1.0 -> Verisign_Class_3_Public_Primary_Certification_Authority.pem -rw-r--r-- 1 root root 1003 dic 6 16:09 /etc/ssl/certs/415660c1.1 oscar@hedera:~> curl -v --head https://www.caixaguissona.com * Rebuilt URL to: https://www.caixaguissona.com/ * Adding handle: conn: 0x8085ee8 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x8085ee8) send_pipe: 1, recv_pipe: 0 * About to connect() to www.caixaguissona.com port 443 (#0) * Trying 195.77.119.3... * Connected to www.caixaguissona.com (195.77.119.3) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DES-CBC3-SHA * Server certificate: * subject: 1.3.6.1.4.1.311.60.2.1.3=ES; businessCategory=Private Organization; serialNumber=F25014754; C=ES; ST=Lleida; L=GUISSONA; O=CAJA RURAL DE GUISSONA SOCIEDAD COOPERATIVA DE CREDITO; OU=INFORMATICA; OU=Terms of use at www.verisign.com/rpa (c)05; CN=www.caixaguissona.com * start date: 2013-12-04 00:00:00 GMT * expire date: 2016-02-02 23:59:59 GMT * subjectAltName: www.caixaguissona.com matched * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL SGC CA * SSL certificate verify ok. Thanks, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c5
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c6
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c7
--- Comment #7 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c8
--- Comment #8 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c9
--- Comment #9 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c10
--- Comment #10 from Oscar Curero
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c11
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=854163
https://bugzilla.novell.com/show_bug.cgi?id=854163#c12
--- Comment #12 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=854163
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com