Package: openssl Version: 1.1.1-2 Severity: important Hi.
OpenSSL fails to connect with my bank's server:
openssl s_client -connect voscomptesenligne.labanquepostale.fr:443
fails with:
140481179165120:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong
signature type:../ssl/t1_lib.c:1073:
It affects also curl and LWP::Mechanise, probably others.
Even if the fault is in the certificate, since the website works with
web browsers, it is unlikely to get fixed. OpenSSL fails at being
"liberal in what it accepts" and causing trouble to people who cannot
fix the issues.
Here is the full output of the connection attempt:
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
Extended Validation Server CA
verify return:1
depth=0 businessCategory = Private Organization, jurisdictionC = FR,
serialNumber = 421 100 645, C = FR, L = PARIS, O = LA BANQUE POSTALE SA, OU =
DISFE, CN = voscomptesenligne.labanquepostale.fr
verify return:1
140226363384256:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong
signature type:../ssl/t1_lib.c:1073:
---
Certificate chain
0 s:businessCategory = Private Organization, jurisdictionC = FR, serialNumber
= 421 100 645, C = FR, L = PARIS, O = LA BANQUE POSTALE SA, OU = DISFE, CN =
voscomptesenligne.labanquepostale.fr
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
Extended Validation Server CA
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
Extended Validation Server CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High
Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHRTCCBi2gAwIBAgIQA3eTFiCh2PHn6ZqiD+LJ8TANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE4MDkwNTAwMDAwMFoXDTIwMDkwNDEy
MDAwMFowgcUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAkZSMRQwEgYDVQQFEws0MjEgMTAwIDY0NTELMAkGA1UEBhMCRlIx
DjAMBgNVBAcTBVBBUklTMR0wGwYDVQQKExRMQSBCQU5RVUUgUE9TVEFMRSBTQTEO
MAwGA1UECxMFRElTRkUxLTArBgNVBAMTJHZvc2NvbXB0ZXNlbmxpZ25lLmxhYmFu
cXVlcG9zdGFsZS5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbz
3NLvgGn2xD522UsF+WBLwcKK6qTaBjSaTB+K6GoeSYM9fwV6oSyOzYiVuo59LwIC
HigrBSgpptlvEVTrn629l/gNWlk64GIXC2h3rWw0/S8TzC8Vfu+lRA8c8P1AgTom
L3dUMotJhMAekaUObs1zdM4njwlvegHXzBcBfCdLjNSzgUsBJAc9cVluOyl5hLEV
jT2BOGS4EEDkp43VUdMR8UUzBVwr3tUtctWrzamrLOKc4FgxHup8Hd8msBO07PVf
buMFQIO31amiXGZETakzOyxNHmmXjQ7i9iR6qt6XDaqONO6Cuf0JSp5AJB5wMVqc
MYmdLHkJJwsHRRGcFXECAwEAAaOCA34wggN6MB8GA1UdIwQYMBaAFD3TUKXWoK3u
80pgCmXTIdT4+NYPMB0GA1UdDgQWBBTxEQB4kYEoPYBzNzlJXUQ94Hb+QjAvBgNV
HREEKDAmgiR2b3Njb21wdGVzZW5saWduZS5sYWJhbnF1ZXBvc3RhbGUuZnIwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNV
HR8EbjBsMDSgMqAwhi5odHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1ldi1z
ZXJ2ZXItZzIuY3JsMDSgMqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hh
Mi1ldi1zZXJ2ZXItZzIuY3JsMEsGA1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYI
KwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEw
gYgGCCsGAQUFBwEBBHwwejAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tMFIGCCsGAQUFBzAChkZodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRTSEEyRXh0ZW5kZWRWYWxpZGF0aW9uU2VydmVyQ0EuY3J0MAkGA1Ud
EwQCMAAwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB2AKS5CZC0GFgUh7sTosxn
cAo8NZgE+RvfuON3zQ7IDdwQAAABZajToi4AAAQDAEcwRQIhAMAGiPJVLx+SALaE
7smveYV3lsX1/5tmQj5YOlhVh3y0AiACzQAfdFj+fiP1947TPFK87XnhFQ/rGXXM
VR3eHtsmhQB1AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABZajT
ooEAAAQDAEYwRAIgKqCVTTYm344Qjc58vOMC53qjHhG69+TqJp671XQBNqUCIAVT
wrmpOqNRftBaC1z9OJGqE4j0H5UfvyR3CeOXXKjQAHUAu9nfvB+KcbWTlCOXqpJ7
RzhXlQqrUugakJZkNo4e0YUAAAFlqNOjIwAABAMARjBEAiB/nekgrHwpaYx7/J2R
XhueGi1F2+O44s/+Z0N2sxJtPgIgQKe8VzwY8e07CtBe2E9PhWPLa/fO7/7ZeTEo
uJ+Z7tcwDQYJKoZIhvcNAQELBQADggEBAAlFwBHOSCOZ/7/BRM67krK/Q9hD75rh
o34aes1zjj+cBDo4bto/6/mabec3moadB6rff6yd9eH2nBOjodN2uS/utL6zdB7A
RAn5iu7W9/WVPWUxtsGmeWol9PJfPK4o1D0KV9nKOt0K4/xGqn0lsFq22gDoEbAY
MDC3ka+CwVtvrQ9WiyAmIg1RVSkxj4teO4wwi44jFnf6Ka2L7E99HGsa8bekwfW0
csyuDUs+rq31PVx43idnTpdMPVwh6AvGO2YPT6IbqeDMaAeuhwJfEjmXfBfFlWkN
Cuk4dxwxIfDeTWzHGM/bW3jTpddQnsV5MjY73EYPW6cC5wrOmNPmzfo=
-----END CERTIFICATE-----
subject=businessCategory = Private Organization, jurisdictionC = FR,
serialNumber = 421 100 645, C = FR, L = PARIS, O = LA BANQUE POSTALE SA, OU =
DISFE, CN = voscomptesenligne.labanquepostale.fr
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2
Extended Validation Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3535 bytes and written 335 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID: 18D99AD253AE8E5E3A9200DDEF7BCD973F542A12316905A3A976B7831144DC28
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1541258407
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
zsh: exit 1 openssl s_client -connect
voscomptesenligne.labanquepostale.fr:443
Regards,
--
Nicolas George
-- System Information:
Debian Release: buster/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (50,
'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.17.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.27-8
ii libssl1.1 1.1.1-2
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20170717
-- no debconf information
signature.asc
Description: Digital signature
