https://bugzilla.novell.com/show_bug.cgi?id=895350 https://bugzilla.novell.com/show_bug.cgi?id=895350#c0 Summary: openssl and gnutls cannot cope with the Mozilla NSS derived ca-certificates-mozilla 2.1 bundle Classification: openSUSE Product: openSUSE Factory Version: 201409* Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: meissner@suse.com ReportedBy: meissner@suse.com QAContact: qa-bugs@suse.de CC: lnussel@suse.com, vcizek@suse.com Found By: --- Blocker: --- When updating the ca-certificates-mozilla to 2.1, several major sites break. It sends a chain of certificates: Certificate chain 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=www.amazon.de i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority The "VeriSign Class 3 Public Primary Certification Authority - G5" that the server sends is different from the one in the ca-certificates store, as it is signed by "Class 3 Public Primary Certification Authority" instead of itself. Mozilla NSS does the right thing and finds the "G5" a good Root CA, but openssl and gnutls FAIL, as they do not see the on-disk "G5" certificate, but instead use the one from the chain and look for the dropped "Class 3 Public Primary Certification Authority" Somehow gnutls and openssl need to use the one from disk instead somehow :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.