FS#42921 - [ca-certificates-mozilla] problems with Amazon S3

Attached to Project: Arch Linux
Opened by Mantas Mikulėnas (grawity) - Thursday, 27 November 2014, 08:51 GMT
Last edited by Doug Newgard (Scimmia) - Friday, 28 November 2014, 21:00 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

"s3.amazonaws.com" has a 4-certificate chain:

0: s3.amazonaws.com (Amazon.com Inc.)
1: ╚═VeriSign Class 3 Secure Server CA - G3
2: ╚═VeriSign Class 3 Public Primary Certification Authority - G5
3: └─VeriSign Class 3 Public Primary Certification Authority

In the Mozilla CA list, both #2 and #3 are trusted, but the latter only for email. NSS supports this and stops at #2. Meanwhile, OpenSSL is hopeless and always validates _only_ the last certificate – and since #3 is now filtered out from ca-certificates.crt, the connection fails, even though #2 is still in that file.

$ curl https://s3.amazonaws.com --cacert /etc/ca-certificates/extracted/openssl/ca-bundle.trust.crt
curl: (60) SSL certificate problem: certificate not trusted

Workaround: Ship the old Verisign_Class_3_Public_Primary_Certification_Authority.pem as a simple PEM file in "anchors".

(Also at https://gist.github.com/grawity/15eabf67191e17080241)
This task depends upon

Closed by  Doug Newgard (Scimmia)
Friday, 28 November 2014, 21:00 GMT
Reason for closing:  Fixed
Additional comments about closing:  3.17.2-3
Comment by Mantas Mikulėnas (grawity) - Thursday, 27 November 2014, 09:04 GMT Comment by Doug Newgard (Scimmia) - Friday, 28 November 2014, 20:02 GMT
You didn't mention what package version. Is this fixed in 3.17.2-3?
Comment by Mantas Mikulėnas (grawity) - Friday, 28 November 2014, 20:16 GMT

Loading...