Your message dated Thu, 21 Apr 2011 19:32:08 +0000
with message-id <e1qczbk-0000hs...@franck.debian.org>
and subject line Bug#611102: fixed in ca-certificates 20110421
has caused the Debian Bug report #611102,
regarding can't find certicates because of hash changes, should call c_rehash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
611102: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611102
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libssl1.0.0
Version: 1.0.0d-1
Severity: important
It seems all the certificates in /etc/ssl/certs have become pretty much
useless now, because just about every connection fails either with error
20 (unable to get local issuer certificate) or error 19 (self signed
certificate in certificate chain), like this:
,----
| $ openssl s_client -CApath /etc/ssl/certs/ -connect bugs.freedesktop.org:443
| CONNECTED(00000003)
| depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing,
CN = StartCom Class 1 Primary Intermediate Server CA
| verify error:num=20:unable to get local issuer certificate
| [...]
| $ openssl s_client -CApath /etc/ssl/certs/ -connect alioth.debian.org:443
| CONNECTED(00000003)
| depth=2 C = US, ST = Indiana, L = Indianapolis, O = Software in the Public
Interest, OU = hostmaster, CN = Certificate Authority, emailAddress =
hostmas...@spi-inc.org
| verify error:num=19:self signed certificate in certificate chain
| [...]
`----
This broke my mail setup after today's binNMU of postfix which could not
set up a verified connection to the relay host:
,----
| Apr 13 16:22:53 turtle postfix/smtp[1972]: setting up TLS connection to
mail.gmx.net[213.165.64.21]:587
| Apr 13 16:22:53 turtle postfix/smtp[1972]: certificate verification
| failed for mail.gmx.net[213.165.64.21]:587: untrusted issuer
| /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
| cc/OU=Certification Services Division/CN=Thawte Premium Server
| CA/emailAddress=premium-ser...@thawte.com
| Apr 13 16:22:53 turtle postfix/smtp[1972]: Untrusted TLS connection
| established to mail.gmx.net[213.165.64.21]:587: TLSv1 with cipher
| DHE-RSA-AES256-SHA (256/256 bits)
| Apr 13 16:22:53 turtle postfix/smtp[1972]: 88EFF3F328: Server certificate not
trusted
| Apr 13 16:22:53 turtle postfix/smtp[1972]: setting up TLS connection to
mail.gmx.net[213.165.64.20]:587
| Apr 13 16:22:53 turtle postfix/smtp[1972]: certificate verification
| failed for mail.gmx.net[213.165.64.20]:587: untrusted issuer
| /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
| cc/OU=Certification Services Division/CN=Thawte Premium Server
| CA/emailAddress=premium-ser...@thawte.com
| Apr 13 16:22:53 turtle postfix/smtp[1972]: Untrusted TLS connection
| established to mail.gmx.net[213.165.64.20]:587: TLSv1 with cipher
| DHE-RSA-AES256-SHA (256/256 bits)
| Apr 13 16:22:53 turtle postfix/smtp[1972]: 88EFF3F328:
| to=<620...@bugs.debian.org>, relay=mail.gmx.net[213.165.64.20]:587,
| delay=2.4, delays=0.3/0.87/1.2/0, dsn=4.7.5, status=deferred (Server
| certificate not trusted)
`----
Downgrading postfix to 2.8.2-1 "fixed" this. Needless to say, the
openssl version in Squeeze shows no errors in the above examples either.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (101, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.39-rc3-nouveau (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libssl1.0.0 depends on:
ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
libssl1.0.0 recommends no packages.
libssl1.0.0 suggests no packages.
-- debconf information:
libssl1.0.0/restart-failed:
libssl1.0.0/restart-services:
--- End Message ---
--- Begin Message ---
Source: ca-certificates
Source-Version: 20110421
We believe that the bug you reported is fixed in the latest version of
ca-certificates, which is due to be installed in the Debian FTP archive:
ca-certificates_20110421.dsc
to main/c/ca-certificates/ca-certificates_20110421.dsc
ca-certificates_20110421.tar.gz
to main/c/ca-certificates/ca-certificates_20110421.tar.gz
ca-certificates_20110421_all.deb
to main/c/ca-certificates/ca-certificates_20110421_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 611...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Kurt Roeckx <k...@roeckx.be> (supplier of updated ca-certificates package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 Apr 2011 18:56:08 +0200
Source: ca-certificates
Binary: ca-certificates
Architecture: source all
Version: 20110421
Distribution: unstable
Urgency: low
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Kurt Roeckx <k...@roeckx.be>
Description:
ca-certificates - Common CA certificates
Closes: 611102
Changes:
ca-certificates (20110421) unstable; urgency=low
.
* QA upload.
* Package is orphaned, set maintainer to QA group
* Depend on openssl 1.0.0 and force a call of c_rehash so that we have
both the old and new style of symlinks. (Closes: #611102)
* Remove libssl0.9.8 from enhances
* Update mozilla certdata.txt file to the latest version.
Removed:
- ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt
- beTRUSTed_Root_CA-Baltimore_Implementation.crt
- beTRUSTed_Root_CA.crt
- beTRUSTed_Root_CA_-_Entrust_Implementation.crt
- beTRUSTed_Root_CA_-_RSA_Implementation.crt
- Digital_Signature_Trust_Co._Global_CA_2.crt
- Digital_Signature_Trust_Co._Global_CA_4.crt
- Entrust.net_Global_Secure_Personal_CA.crt
- Entrust.net_Global_Secure_Server_CA.crt
- Entrust.net_Secure_Personal_CA.crt
- GTE_CyberTrust_Root_CA.crt
- IPS_Chained_CAs_root.crt
- IPS_CLASE1_root.crt
- IPS_CLASE3_root.crt
- IPS_CLASEA1_root.crt
- IPS_CLASEA3_root.crt
- IPS_Servidores_root.crt
- IPS_Timestamping_root.crt
- RSA_Security_1024_v3.crt
- StartCom_Ltd..crt
- Thawte_Personal_Basic_CA.crt
- Thawte_Personal_Premium_CA.crt
- UTN-USER_First-Network_Applications.crt
- Verisign_RSA_Secure_Server_CA.crt
- Verisign_Time_Stamping_Authority_CA.crt
- Visa_International_Global_Root_2.crt
Added:
- ACEDICOM_Root.crt
- AC_Raíz_Certicámara_S.A..crt
- ApplicationCA_-_Japanese_Government.crt
- Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
- Buypass_Class_2_CA_1.crt
- Buypass_Class_3_CA_1.crt
- CA_Disig.crt
- Certigna.crt
- certSIGN_ROOT_CA.crt
- Chambers_of_Commerce_Root_-_2008.crt
- CNNIC_ROOT.crt
- ComSign_CA.crt
- ComSign_Secured_CA.crt
- Cybertrust_Global_Root.crt
- Deutsche_Telekom_Root_CA_2.crt
- EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
- E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
- ePKI_Root_Certification_Authority.crt
- GeoTrust_Primary_Certification_Authority_-_G2.crt
- GeoTrust_Primary_Certification_Authority_-_G3.crt
- Global_Chambersign_Root_-_2008.crt
- GlobalSign_Root_CA_-_R3.crt
- Hongkong_Post_Root_CA_1.crt
- IGC_A.crt
- Izenpe.com.crt
- Juur-SK.crt
- Microsec_e-Szigno_Root_CA_2009.crt
- Microsec_e-Szigno_Root_CA.crt
- NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
- OISTE_WISeKey_Global_Root_GA_CA.crt
- SecureSign_RootCA11.crt
- Security_Communication_EV_RootCA1.crt
- Staat_der_Nederlanden_Root_CA_-_G2.crt
- S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
- TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
- TC_TrustCenter_Class_2_CA_II.crt
- TC_TrustCenter_Class_3_CA_II.crt
- TC_TrustCenter_Universal_CA_I.crt
- TC_TrustCenter_Universal_CA_III.crt
- thawte_Primary_Root_CA_-_G2.crt
- thawte_Primary_Root_CA_-_G3.crt
- VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
- VeriSign_Universal_Root_Certification_Authority.crt
Changed:
- Verisign_Class_1_Public_Primary_Certification_Authority.crt
- Verisign_Class_3_Public_Primary_Certification_Authority.crt
* Remove telesec.de/deutsche-telekom-root-ca-2.crt, now in mozilla.
* String decode the mozilla certdata.txt so the filenames show up as
proper UTF-8 strings.
Checksums-Sha1:
658e1e50a1f34a6d27b729edd1b0b03dd541571e 1440 ca-certificates_20110421.dsc
5097a66b926c73e2a210f2d1410451966627302c 278049 ca-certificates_20110421.tar.gz
863a3eabb7366e69942bfe10f6c2cd99c145d0b8 176778
ca-certificates_20110421_all.deb
Checksums-Sha256:
bac1c47dc886c823daba954408e341fd7e72ab2abe95e22f17a6e1de1be8cb91 1440
ca-certificates_20110421.dsc
30069a2a39ddd0cda32851a8292d2f489e0bed40a64a19e6e384d4d37d9fc418 278049
ca-certificates_20110421.tar.gz
a60a9c0faf1847df4553ce13ffe337412b88dd1b9d502741ac1760204c0bdda3 176778
ca-certificates_20110421_all.deb
Files:
5c337c2d65ec430e94e2a2a7abad3168 1440 misc optional
ca-certificates_20110421.dsc
59edcd927a76cf78ec5bb43f248ea68d 278049 misc optional
ca-certificates_20110421.tar.gz
c5f5f65590899066d55e874fa59e03aa 176778 misc optional
ca-certificates_20110421_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCgAGBQJNsIQlAAoJEGpMZM6DE7XwrWoP/it0a9RbmgWpxpJzJyyMhi/7
AlvLLx1AodMnBFeS8x81l40ibcgRmZPqfqO8DjrSxOOwqN57FeJqXUGpp7OsNEEn
M21BSrS/mhs9KDjm6PZK+My05duuDXqXyHPDJcR0UAKdfSWiOVv9DOjMx09WEneo
PJ/4mcn8GtdpXHmfaeSCw2jqFkOYz2TG+dH2AyTHL6y1twqq3+dECd9p5twCSJ9F
3ITrXFUjoQ/MNoDJ53VFRylx2kNOHsUyhZkFkjiPEyiBOhAAGL+TXgeiknW+Z6M8
73jc567LU6TIwLRoT9Hb/g8+4kn/yD7FFDNUlJwt4uxsHZOUtwRVE39oJKE/+FfL
qlJoKGG/v6o9A5nGvKQjAd8nvX8+GxoIcV9JUeB0JLgoCgvlPIFwKT1iIxYWA10E
Qt8s1EzK0ngZIHv/FjMwW7M/hfL7oybHhKqiDXJ7L7j2Ohh99sSOOx4PZCaSml8g
rjops5ypIqhsHleVZ+ZG6wZVl/fYeKqt9g2EW3dBKEMN+YxAnuwMdxhBYSX3wc90
w3Fffc2mef8skcAxrwKfrICD1lnVbnO62g8QtwP1OCECqMod4wvuWN1f7jZU6diU
oD1SgJdDT9HwhzTJwjGD+SLj/YNAAItGiYWi+jGuCJb+dcNtoRZVpPJ/Po7+vfBr
kghu5SP6JXiDheADWUKg
=Xa4d
-----END PGP SIGNATURE-----
--- End Message ---
