Package: ca-certificates Version: 20141019
Hi, On a Debian/testing system the certificate from https://msm.mitre.org (signed by Entrust) is not recognized by some system programs, meanwhile it is recognized by others. I will list some examples where it is not recognized first, and then some examples where it is recognized. -------------------------------------------------------------------- Not recognized: -------------------------------------------------------------------- $ openssl s_client -CApath /etc/ssl/certs -connect msm.mitre.org:443 CONNECTED(00000004) depth=3 C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Secure Server Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=Virginia/L=McLean/O=The Mitre Coproration/CN=msm.mitre.org i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) 2 s:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority 3 s:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGXTCCBUWgAwIBAgIETCKi8jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0 Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xNDA0MDkxMzEyNDZaFw0xNjExMDEy MDAzNTJaMGkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UE BxMGTWNMZWFuMR4wHAYDVQQKExVUaGUgTWl0cmUgQ29wcm9yYXRpb24xFjAUBgNV BAMTDW1zbS5taXRyZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDC5h1/pbx6i+/vwCFPEOARzyMZEMC0I69XV00XeR6HDw6RehcXbDjg8fKA351U t5N6+SZoRg/yCrodNv4EJ5vjqR9eFS1W/wEMjP1DseU3clJPKiH7s0AA/46rUQty EnH9FckjvvqrrdUJu7ipGXHRGOUv7tsPrC2BJDMwX4Qo+48ggivp2XUdreMW8toT uu6W6mslpCdyoKoeTH52PsOyGr/fa/PZMP7NhUhklRRP3hl7wODWawSnCZWr7QtV rPRL5tGJNQIYBezzTMY+gA8TdJXKJBSiVlW9mqqRxSKaF4Z9uxhn6zbK+3ZnlaS2 p2yW77PWXOMedM9veDluL1dNAgMBAAGjggLCMIICvjALBgNVHQ8EBAMCBaAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0 dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBW MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcw AoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMw QTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0 Lm5ldC9ycGEwCAYGZ4EMAQICMIIBXAYDVR0RBIIBUzCCAU+CDW1zbS5taXRyZS5v cmeCDm92YWwubWl0cmUub3Jngg9jYXBlYy5taXRyZS5vcmeCDWNwZS5taXRyZS5v cmeCH3JlY29tbWVuZGF0aW9udHJhY2tlci5taXRyZS5vcmeCDGJlLm1pdHJlLm9y Z4IOb2NybC5taXRyZS5vcmeCDWNtZS5taXRyZS5vcmeCDnN0aXgubWl0cmUub3Jn gh5iZW5jaG1hcmtkZXZlbG9wbWVudC5taXRyZS5vcmeCDWNlZS5taXRyZS5vcmeC DWN3ZS5taXRyZS5vcmeCDWNjZS5taXRyZS5vcmeCE2JlbmNobWFyay5taXRyZS5v cmeCD3RheGlpLm1pdHJlLm9yZ4IObWFlYy5taXRyZS5vcmeCDWNyZi5taXRyZS5v cmeCD2N5Ym94Lm1pdHJlLm9yZ4INY3ZlLm1pdHJlLm9yZzAfBgNVHSMEGDAWgBQe 8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQUJ82NEIJBFe+UxCeL9o+VxIq3 Za8wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAKZ0wed0DChKXWIBCORJe nEWomevUXQoAxJ5VLg4rldtw+lWTU46Vpr9v2ojrxYP6+kcoJda7wIshQ6n+0LVK +LHCt1L1pQVNHQ9uGmS5dZZseQruCrK9e2FXCQxhTMQc/IQkBW2oVu/7R9jk5B+9 ZiCAUetz0MxJdgNNA9ND81zodTRNnrB8eIUalgEn31Gc0Ut7dbBDvuNpu+DwalWs +St5aqFMa9XIKoxZ3C5BNo/lkU0lGP4fx/IQSFqQxsZpSAvH367aG57zhYJEdhwg EWWBU/vvza2r5zMmW0TIbOOahY5uQvBNw6/19XLnfdNONqw9GeoR1yNw8AO+gRdv 9g== -----END CERTIFICATE----- subject=/C=US/ST=Virginia/L=McLean/O=The Mitre Coproration/CN=msm.mitre.org issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C --- No client certificate CA names sent --- SSL handshake has read 5688 bytes and written 623 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: 1CE5751D9B59229F85736A94BF1A7B74B1782F5FB5A8697332616A52F816CE9C Session-ID-ctx: Master-Key: A9DF91159E7878B9131A31F9BA2EC1D29E2606CA3D2508A7B5D5CAF3CD824E7721A7236A5188A1CF39E2DB4CE361963F Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - bc a0 15 fe a8 f7 41 09-af 66 49 7f 60 a0 85 8f ......A..fI.`... 0010 - 76 9c b2 6e 45 38 58 c8-10 84 04 73 ff 72 b7 4e v..nE8X....s.r.N 0020 - 72 29 29 a6 1f ac d2 1b-62 c6 94 fe 33 82 47 2c r)).....b...3.G, 0030 - a9 de af 77 bc 1d 92 35-51 1f d6 cd b0 b1 9e 79 ...w...5Q......y 0040 - 90 ff fe 1e 29 6a 19 03-33 03 d8 7a 45 76 c3 55 ....)j..3..zEv.U 0050 - 48 d9 65 38 d9 7f 7b 8e-75 4d 77 e2 8a f6 84 1f H.e8..{.uMw..... 0060 - a2 a6 89 d6 e4 fd c8 38-0f a2 75 8d fe 65 2f c2 .......8..u..e/. 0070 - 7d cd 4a 48 bf 91 78 73-a5 8d 13 a4 8f 4f 3e 7f }.JH..xs.....O>. 0080 - c5 47 41 a2 bd 0b 20 9e-3d ef c7 90 b1 84 06 43 .GA... .=......C 0090 - 08 58 3b 16 49 1c 2c ac-82 0b 9e 7c e4 1e 37 86 .X;.I.,....|..7. 00a0 - f5 f0 6a e0 4c 92 37 a9-fb 5c 9a a0 e4 23 e8 1f ..j.L.7..\...#.. 00b0 - 8b 02 cf 8e fc 47 e4 c1-91 d6 fa 60 33 12 7e 43 .....G.....`3.~C Start Time: 1421859765 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) $ gnutls-cli msm.mitre.org Processed 173 CA certificate(s). Resolving 'msm.mitre.org'... Connecting to '198.49.146.233:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: - subject `C=US,ST=Virginia,L=McLean,O=The Mitre Coproration,CN=msm.mitre.org', issuer `C=US,O=Entrust\, Inc.,OU=www.entrust.net/rpa is incorporated by reference,OU=(c) 2009 Entrust\, Inc.,CN=Entrust Certification Authority - L1C', RSA key 2048 bits, signed using RSA-SHA1, activated `2014-04-09 13:12:46 UTC', expires `2016-11-01 20:03:52 UTC', SHA-1 fingerprint `b473a4580e5010e2d8e830009a13aead1d83f813' Public Key ID: 7cca8c079092ac5d90a2ccf063a64bc27e422a12 Public key's random art: +--[ RSA 2048]----+ | .. | |o..o . | |=o+ + | |.==o . . | |o+.. . S . | |E+ = o | |*o . = | |=o . . | |o o | +-----------------+ - Certificate[1] info: - subject `C=US,O=Entrust\, Inc.,OU=www.entrust.net/rpa is incorporated by reference,OU=(c) 2009 Entrust\, Inc.,CN=Entrust Certification Authority - L1C', issuer `O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification Authority (2048)', RSA key 2048 bits, signed using RSA-SHA1, activated `2009-12-10 20:43:54 UTC', expires `2019-12-10 21:13:54 UTC', SHA-1 fingerprint `6143af68f7b33a47940474988b05f7b162969842' - Certificate[2] info: - subject `O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification Authority (2048)', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', RSA key 2048 bits, signed using RSA-SHA1, activated `2009-03-23 15:18:27 UTC', expires `2019-03-23 15:48:27 UTC', SHA-1 fingerprint `b975811dda15107ef5e0dc28141c7b938ebe4c26' - Certificate[3] info: - subject `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', RSA key 1024 bits, signed using RSA-SHA1, activated `1999-05-25 16:09:40 UTC', expires `2019-05-25 16:39:40 UTC', SHA-1 fingerprint `99a69be61afe886b4d2b82007cb854fc317e1539' - Status: The certificate is NOT trusted. The certificate issuer is unknown. *** PKI verification of server certificate failed... *** Fatal error: Error in the certificate. *** Handshake has failed GnuTLS error: Error in the certificate. $ curl https://msm.mitre.org curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. $ epiphany https://msm.mitre.org # cert error -------------------------------------------------------------------- Recognized: -------------------------------------------------------------------- $ iceweasel https://msm.mitre.org # OK $ chromium https://msm.mitre.org # OK $ wget https://msm.mitre.org --2015-01-21 18:04:43-- https://msm.mitre.org/ Resolving msm.mitre.org (msm.mitre.org)... 198.49.146.233, 192.52.194.135 Connecting to msm.mitre.org (msm.mitre.org)|198.49.146.233|:443... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: ‘index.html’ [ <=> ] 17,807 --.-K/s in 0.1s 2015-01-21 18:04:44 (124 KB/s) - ‘index.html’ saved [17807] # OK -------------------------------------------------------------------- Versions of the programs: -------------------------------------------------------------------- $ apt-show-versions ca-certificates iceweasel chromium curl wget openssl gnutls-bin ca-certificates:all/testing 20141019 uptodate chromium:amd64/testing 39.0.2171.71-2 uptodate curl:amd64/testing 7.38.0-3 upgradeable to 7.38.0-4 gnutls-bin:amd64/testing 3.2.15-1 upgradeable to 3.3.8-5 iceweasel:amd64/experimental *manually* upgradeable from 34.0-1 to 35.0-1 openssl:amd64/testing 1.0.1j-1 uptodate wget:amd64/testing 1.15-1+b1 upgradeable to 1.16-1
signature.asc
Description: OpenPGP digital signature
