FS#21719 - [ca-certificates] CAcert Class 3 Root certificate doesn't work correctly.

Attached to Project: Arch Linux
Opened by Jan Alexander Steffens (heftig) - Wednesday, 17 November 2010, 05:07 GMT
Last edited by Pierre Schmitz (Pierre) - Saturday, 23 July 2011, 18:44 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

It seems both CAcert (class 1 and class 3) root certificates are in the file cacert.org.crt. However, it seems OpenSSL can only find the class 1 certificate.

After splitting the class 3 certificate into its own file and updating the ca-certificates, it works correctly.
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Saturday, 23 July 2011, 18:44 GMT
Reason for closing:  Upstream
Comment by Pierre Schmitz (Pierre) - Wednesday, 17 November 2010, 06:29 GMT
This is working fine here for the clients I tested. How did you check this?
Comment by Jan Alexander Steffens (heftig) - Wednesday, 17 November 2010, 07:06 GMT
openssl verify my_cacert_class3_cert.crt

Failed with "20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate" prior to my change.

Also, Firefox refused to connect to https://cats.cacert.org
Comment by Attila (attila) - Wednesday, 17 November 2010, 16:40 GMT
This is a little bit strange because the Makefile for cacert.org is the only one which do a "cat root.crt class3.crt > cacert.org.crt" instead of "install -m 644" for every file. Just for the stats opensuse ships class 1 and class 3 in different files too.

Okay, i take a copy from testing and replace the Makefile to have two separate files but firefox do the same with https://cats.cacert.org as before. Are there better tests to check this?
Comment by Pierre Schmitz (Pierre) - Wednesday, 17 November 2010, 17:41 GMT
More information about this issue can be found in the upstream bug reports http://bugs.debian.org/cgi-bin/bugreport.cgi?bug= and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594524
Comment by Attila (attila) - Wednesday, 17 November 2010, 18:14 GMT
Sounds crazy that c_rehash has to be changed because if the authors of ca-certificates stops copying two crt's into one crt in only one of the Makefiles than this would be a faster solution for the same problem. Could we do this instead of waiting for a change in c_rehash?

@Pierre Thanks for the infos.

Loading...