Hi, I can maybe shed some more light on this. The problem is that the "Thawte Premium Server CA" was removed from the certificate store with 20141019+deb8u1. On Stretch this is not a problem because openssl is on 1.0.2 there. On Jessie we have 1.0.1 which can not verify cross signed certificates as it seems.
I tested with a current Jessie and Stretch installation and it turns out that openssl 1.0.2 verifies the "Thawte Primary Root CA" correctly because it is in the certificate store. With openssl 1.0.1 this verification fails because it looks for the (removed) "Thawte Premium Server CA". I first thought it only affects servers that send both chains but as Leszek writes this also affects him. We publish the chain like this: servercert, thawte SSL CA - G2, Thawte Primary Root CA, Thawte Premium Server CA Looking at the Thawte website you can clearly see that the "Thawte Premium Server CA" is still operational and should not be excluded from certificate stores (https://www.thawte.com/roots/index.html). The certificate is obviously still need for openssl 1.0.1 For reference here are the openssl bug reports that fix the alternate chain problem in 1.0.2: https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3637 https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3621 So I would like to see the "Thawte Premium Server CA" in the Debian Jessie certificate store again very soon. This currently will disconnect all Volunteers running BOINC from at least two big projects (Einstein@home, WorldCommunityGrid) as soon as they update to 20141019+deb8u1. Another solution would be to update openssl to 1.0.2 on Jessie but I doubt that this is easier than re-adding the certificate. I have done more troubleshooting and can provide more evidence if needed. Kind regards Christian
