Bug#762709: ca-certificates: Import http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt Root CA certificate which is missing

Sat, 27 Sep 2014 17:12:55 -0700 

On 09/25/2014 04:14 AM, Emerick 'mz' Mounoury wrote:

On 09/24/2014 09:25 PM, Michael Shuler wrote:

Do you have a test SSL site URL on your system to see the full trust
chain?  There are 4 AddTrust root CAs in ca-certificates, so I'd like
to see the trust path to better understand your problem. Thanks!



First, thank you for your prompt answer !

Yes, sure, you can test our service using this test URL :
https://simplehosting.mz23.in

I check the SSL connection using openssl as is as we are using SNI :

openssl s_client -connect simplehosting.mz23.in:443 -showcerts -CApath
/etc/ssl/certs -servername simplehosting.mz23.in
This appears to validate fine for me on the current version of ca-certificates. Quick check attached. 

--
Kind regards,
Michael


mshuler@hana:~$ dpkg -l ca-certificates | grep ^ii
ii  ca-certificates 20140325     all          Common CA certificates
mshuler@hana:~$ openssl s_client -connect simplehosting.mz23.in:443 -CApath 
/etc/ssl/certs -servername simplehosting.mz23.in
CONNECTED(00000003)
depth=4 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = 
http://www.usertrust.com, CN = UTN - DATACorp SGC
verify return:1
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = 
AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN 
= USERTrust RSA Certification Authority
verify return:1
depth=1 C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = 
simplehosting.mz23.in
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=simplehosting.mz23.in
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
 1 s:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA 
Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA 
Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External 
CA Root
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgIQIVZ/c0nHJ1mK990bLhOnBTANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
HhcNMTQwOTI0MDAwMDAwWhcNMTUwOTI0MjM1OTU5WjBgMSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNT
TDEeMBwGA1UEAxMVc2ltcGxlaG9zdGluZy5tejIzLmluMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAzWYGWoVHzEjdXOiAPg0/OMiFxStkhn1fps0luFvI
7GhvchUQvjmSJoM6C/DxBVKURMlfTU1af1x0b8+M2Zje59KULc2k1EhrkKQ9U0J4
O6nE1PjIKAS2/nvpugNGWP7GA5l0Ys0RQ7IftBJFryD/wx9TwCqDc5Wkif/yd77L
AxTBeG+r04bZWN500HpYxi9nDJLIKEiAM7VgXKrP3lIvOy9F90vcSc/3BbTTNGka
W9vYz/CDUQ64mE8deYeKOh4UxNHwjJI97n64ZQKsDgmL2G7FYK1h45orOa8TFFxa
UWcExKdDJt5p8Iwtkjbnq6hGfETEfA2MocqhioXAvJ7+cwIDAQABo4IBwzCCAb8w
HwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/Qf1pMOowHQYDVR0OBBYEFPu2ls1Y
vgJUSd+y8wXYXpPa96S8MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBLBgNVHSAERDBCMDYGCysGAQQB
sjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20w
CAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNybDBzBggrBgEFBQcBAQRnMGUwPAYI
KwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJk
U1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNv
bTA7BgNVHREENDAyghVzaW1wbGVob3N0aW5nLm16MjMuaW6CGXd3dy5zaW1wbGVo
b3N0aW5nLm16MjMuaW4wDQYJKoZIhvcNAQELBQADggEBAHTaLEartPHLh+AykdXW
2vIpzhKqvzyzFE84ID1Mz+FFD+snrCl0HF7JP4CfgennQwzQ3aVcUJKfndrvfxOL
MjBhkMWWqwbs91TF9yzxzfEFFOHzDR2TE5NZ+pORZUsf6Dc/bHZ1PwkV8Ht9yt8P
R6xkQLBIjH63llP/aob2yLCmI24XZzw0uda/DKPg9tAh2E+k6gZOR7fvQfRoA8dr
ZbtCn9SXRiD4309LOe+z45zLD7DnlniztAYNMCp9n6rsXTwK6em6hhIchPA5JWGz
tqvfREznRlwYS7v0mS+5ko/KqOGzExpRnGu7/KX0LFEVTIEO3g9GunH7xZkKZkrr
qNw=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Gandi Standard 
SSL/CN=simplehosting.mz23.in
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
---
No client certificate CA names sent
---
SSL handshake has read 5873 bytes and written 461 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FFC7B01C8CCF32182D837AC873F0524F05F5F2FC18F767046018418B9566EB97
    Session-ID-ctx: 
    Master-Key: 
2C902BCC9A1EB373705F43C217F780920F23099A36B9B33977A2F84AD859633C609A0B92ADABA80CCDA7F64060B3C24E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1411861566
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

Reply via email to