FS#26135 - [ca-certificates] missing Verisign Class 3 root cert

Attached to Project: Arch Linux
Opened by Dave Reisner (falconindy) - Wednesday, 28 September 2011, 14:32 GMT
Last edited by Pierre Schmitz (Pierre) - Saturday, 02 November 2013, 22:53 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Pierre Schmitz (Pierre)
Dave Reisner (falconindy)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Our ca-certificates package is missing the Verisign Class 3 root cert, which is still in use according to verisign[1]. I'm unsure if others are missing, but I wouldn't rule it out.

To reproduce:
$ wget https://signin.ebay.com
--2011-09-28 10:31:09-- https://signin.ebay.com/
Resolving signin.ebay.com... 66.135.202.140, 66.135.205.10, 66.211.181.96
Connecting to signin.ebay.com|66.135.202.140|:443... connected.
ERROR: cannot verify signin.ebay.com's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA':
Unable to locally verify the issuer's authority.
To connect to signin.ebay.com insecurely, use `--no-check-certificate'.

[1] http://www.verisign.com/support/roots.html
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Saturday, 02 November 2013, 22:53 GMT
Reason for closing:  Upstream
Comment by Mantas Mikulėnas (grawity) - Wednesday, 28 September 2011, 14:51 GMT
The certificate is present as "/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt". The problem is specific to OpenSSL -- GnuTLS works fine. (FWIW, wget on Debian uses GnuTLS.)

$ cd /usr/share/ca-certificates/mozilla

$ gnutls-cli signin.ebay.com --x509cafile Verisign_Class_3_Public_Primary_Certification_Authority.crt
<...>
- The hostname in the certificate matches 'signin.ebay.com'.
- Peer's certificate is trusted

$ openssl s_client -connect signin.ebay.com:443 -CAfile Verisign_Class_3_Public_Primary_Certification_Authority.crt
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
<...>

Comment by Dave Reisner (falconindy) - Wednesday, 28 September 2011, 15:04 GMT
Sure, I should have been more specific. It's the cert bundle /etc/ssl/ca-certificates.crt which is incomplete.
Comment by Greg (dolby) - Monday, 15 October 2012, 08:20 GMT
Status with ca-certificates 20120623 ?
Comment by Dave Reisner (falconindy) - Saturday, 20 October 2012, 19:55 GMT
Still missing.
Comment by Austen Frazier (acfrazier) - Monday, 06 May 2013, 18:05 GMT
This is still an issue. I was confused when I got a message stating Twitter's CA was untrusted, and Google lead me to this bug. See attached screenshot.
   what the fuck.png (69.1 KiB)
Comment by Pierre Schmitz (Pierre) - Wednesday, 08 May 2013, 15:58 GMT
This probably wont get fixed upstream then.

Loading...