Bug#640457: marked as done ([openssl] some VeriSign certificates fail to verify)

To: Maximilian Engelhardt <maxi@daemonizer.de>
Subject: Bug#640457: marked as done ([openssl] some VeriSign certificates fail to verify)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 10 Apr 2025 20:03:02 +0000
Message-id: <[🔎] handler.640457.D640457.17443153162273675.ackdone@bugs.debian.org>
Reply-to: 640457@bugs.debian.org
References: <7808619.GXAFRqVoOG@localhost> <201109050204.51150.maxi@daemonizer.de>

Your message dated Thu, 10 Apr 2025 22:01:53 +0200
with message-id <7808619.GXAFRqVoOG@localhost>
and subject line Closing as no longer relevant
has caused the Debian Bug report #640457,
regarding [openssl] some VeriSign certificates fail to verify
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
640457: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640457
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: [openssl] some VeriSign certificates fail to verify
From: Maximilian Engelhardt <maxi@daemonizer.de>
Date: Mon, 5 Sep 2011 02:04:47 +0200
Message-id: <201109050204.51150.maxi@daemonizer.de>

Package: openssl
Version: 1.0.0d-3
Severity: important

Hello,

I'm having problems verifying some VeriSign certificates.

As far as I traced this back I think this is a problem with openssl. But if 
you think this bug should be fixed elsewhere feel free to reassign the report.


Here is a detailed description about the problem. I'm using signin.ebay.de as 
an example, but many other sites are also affected by this.

$ openssl s_client -host signin.ebay.de -port 443 -CApath /etc/ssl/certs/ -
showcerts
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public 
Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 
s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private 
Organization/serialNumber=2871352/C=US/postalCode=95125/ST=California/L=San 
Jose/street=2145 Hamilton Ave/O=eBay Inc./OU=Site 
Operations/CN=signin.ebay.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
CA
-----BEGIN CERTIFICATE-----
MIIIXjCCB0agAwIBAgIQPqLLa6xb3tYmpa6m2RTjDDANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
MTAxMTkwMDAwMDBaFw0xMzAxMjMyMzU5NTlaMIIBCjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzI4NzEzNTIxCzAJBgNVBAYTAlVTMQ4w
DAYDVQQRFAU5NTEyNTETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxQIU2Fu
IEpvc2UxGjAYBgNVBAkUETIxNDUgSGFtaWx0b24gQXZlMRIwEAYDVQQKFAllQmF5
IEluYy4xGDAWBgNVBAsUD1NpdGUgT3BlcmF0aW9uczEYMBYGA1UEAxQPc2lnbmlu
LmViYXkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3fF7qsUm
ltnVU395Tlg8wEMITNv3X1hCXr4Engs3DLnta2LzDH2HR2hkAZhs7QwFADlCZ0/I
6LLQ6HChhF91HcrL3fbM9eQphBMrQ5QhqKqDZa2YMR2VJy3OaxqHjTlrgseES2CJ
B0DJoQ31NxEpj4dETfkK2fDHhvFYj//RyneIFIkvaw0F2hOBYbKWBfMx0uK/VX9/
4LYKQw6xBp/2T9MSXU0jP1pqwrtg8c0l6vB9ijF/SY5pLZZOYMmJ7QLpSRIflqLs
P4Voz1c4RDmyhm/RS421SaUzlarPeMnof1HoTsO/hUXow0vhfYt4OklKV3T6gcZ2
+DR2jnUL6QjRdwIDAQABo4IECzCCBAcwggIUBgNVHREEggILMIICB4IPc2lnbmlu
LmViYXkuY29tgg5zaWduaW4uZWJheS5hdIIOc2lnbmluLmViYXkuYmWCDnNpZ25p
bi5lYmF5LmNhgg5zaWduaW4uZWJheS5jaIIOc2lnbmluLmViYXkuZGWCDnNpZ25p
bi5lYmF5LmVzgg5zaWduaW4uZWJheS5mcoIOc2lnbmluLmViYXkuaWWCDnNpZ25p
bi5lYmF5Lmlugg5zaWduaW4uZWJheS5pdIIOc2lnbmluLmViYXkubmyCDnNpZ25p
bi5lYmF5LnBogg5zaWduaW4uZWJheS5wbIIRc2lnbmluLmViYXkuY28udWuCEnNp
Z25pbi5lYmF5LmNvbS5hdYISc2lnbmluLmViYXkuY29tLmhrghJzaWduaW4uZWJh
eS5jb20ubXmCEnNpZ25pbi5lYmF5LmNvbS5zZ4ITc2lnbmluLmJlZnIuZWJheS5i
ZYITc2lnbmluLmJlbmwuZWJheS5iZYITc2lnbmluLmNhZnIuZWJheS5jYYIXc2ln
bmluLmV4cHJlc3MuZWJheS5jb22CFHNpZ25pbi5oYWxmLmViYXkuY29tghxzaWdu
aW4ubGl2ZWF1Y3Rpb25zLmViYXkuY29tghhzaWduaW4uc2hvcHBpbmcuZWJheS5j
b22CG3NpZ25pbi53b3JsZG9mZ29vZC5lYmF5LmNvbTAJBgNVHRMEAjAAMB0GA1Ud
DgQWBBTgXmYC0gjb9HFTji+RYF/OtcPJWTALBgNVHQ8EBAMCBaAwQgYDVR0fBDsw
OTA3oDWgM4YxaHR0cDovL0VWU2VjdXJlLWNybC52ZXJpc2lnbi5jb20vRVZTZWN1
cmUyMDA2LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFPyKULqeuSVae1WFT5UAY4/pWGtD
MHwGCCsGAQUFBwEBBHAwbjAtBggrBgEFBQcwAYYhaHR0cDovL0VWU2VjdXJlLW9j
c3AudmVyaXNpZ24uY29tMD0GCCsGAQUFBzAChjFodHRwOi8vRVZTZWN1cmUtYWlh
LnZlcmlzaWduLmNvbS9FVlNlY3VyZTIwMDYuY2VyMG4GCCsGAQUFBwEMBGIwYKFe
oFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFEtruSiWBgy70FI4myms
SweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28xLmdpZjAN
BgkqhkiG9w0BAQUFAAOCAQEAOEmD2bGiV4C0ba2GKakTphtGPA7uIVn6b0TeSUIF
6YHzzNlxU/yxumI1ghdmqaLUARvLVdNoEk4m7HoWLEDRVTJO6/BDGUK4I06c8u20
F2oW7qJCSgQbtyg62n/NeSmN4zMJo8JLTXfyIeZ6kjRj1SdKupyI/DnQVWaQNBv7
4IMelo0yQNeeNEF4/INZxaLdc6o1x8A0FOvKaM+16MrnJSsNXO0sioufC22zRIPw
o6rJ7sQx6ZhEefUgxBCgSJcpBkUUP6II0a/cQzMP5OUXkcKTnfoYAqSQmKRVSKCR
CqXkeyEODiBRQyvG2jsFFpYWKSQlLR08qs1usFHkx363Cw==
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, 
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5
-----BEGIN CERTIFICATE-----
MIIF5DCCBMygAwIBAgIQW3dZxheE4V7HJ8AylSkoazANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBujEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMrVmVy
aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAJjboFXrnP0XeeOabhQdsVuYI4cWbod2
nLU4O7WgerQHYwkZ5iqISKnnnbYwWgiXDOyq5BZpcmIjmvt6VCiYxQwtt9citsj5
OBfH3doxRpqUFI6e7nigtyLUSVSXTeV0W5K87Gws3+fBthsaVWtmCAN/Ra+aM/EQ
wGyZSpIkMQht3QI+YXZ4eLbtfjeubPOJ4bfh3BXMt1afgKCxBX9ONxX/ty8ejwY4
P1C3aSijtWZfNhpSSENmUt+ikk/TGGC+4+peGXEFv54cbGhyJW+ze3PJbb0S/5tB
Ml706H7FC6NMZNFOvCYIZfsZl1h44TO/7Wg+sSdFb8Di7Jdp91zT91ECAwEAAaOC
AdIwggHOMB0GA1UdDgQWBBT8ilC6nrklWntVhU+VAGOP6VhrQzASBgNVHRMBAf8E
CDAGAQH/AgEAMD0GA1UdIAQ2MDQwMgYEVR0gADAqMCgGCCsGAQUFBwIBFhxodHRw
czovL3d3dy52ZXJpc2lnbi5jb20vY3BzMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6
Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUuY3JsMA4GA1UdDwEB
/wQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZ
MFcwVRYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7
GS4wJRYjaHR0cDovL2xvZ28udmVyaXNpZ24uY29tL3ZzbG9nby5naWYwKQYDVR0R
BCIwIKQeMBwxGjAYBgNVBAMTEUNsYXNzM0NBMjA0OC0xLTQ3MD0GCCsGAQUFBwEB
BDEwLzAtBggrBgEFBQcwAYYhaHR0cDovL0VWU2VjdXJlLW9jc3AudmVyaXNpZ24u
Y29tMB8GA1UdIwQYMBaAFH/TZafC3ey78DAJ80M5+gKvMzEzMA0GCSqGSIb3DQEB
BQUAA4IBAQCWovp/5j3t1CvOtxU/wHIDX4u6FpAl98KD2Md1NGNoElMMU4l7yVYJ
p8M2RE4O0GJis4b66KGbNGeNUyIXPv2s7mcuQ+JdfzOE8qJwwG6Cl8A0/SXGI3/t
5rDFV0OEst4t8dD2SB8UcVeyrDHhlyQjyRNddOVG7wl8nuGZMQoIeRuPcZ8XZsg4
z+6Ml7YGuXNG5NOUweVgtSV1LdlpMezNlsOjdv3odESsErlNv1HoudRETifLriDR
fip8tmNHnna6l9AW5wtsbfdDbzMLKTB3+p359U64drPNGLT5IO892+bKrZvQTtKH
qQ2mRHNQ3XBb7a1+Srwi1agm5MKFIA3Z
-----END CERTIFICATE-----
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, 
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
MIIE3TCCBEagAwIBAgIQWPOeXAErGUchqY7k7uD4vzANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv
ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8
RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb
ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR
TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/
Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH
iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB
AAGjggGoMIIBpDAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt
BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j
b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw
MAnzQzn6Aq8zMTMwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVTMRcwFQYD
VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7A8y6vzAN
BgkqhkiG9w0BAQUFAAOBgQCfFUleaybO7pjnTaWSP3Vq8DML+gncKJKrjWoxQdlH
MUdGCaE5BT5mZRmLMr9hLBzVagNvRNw7r+8bk1jWvc7Q7baJd1EVWTIoxXqJjNo+
bVx1rIbUx579OD6Wc0CHNGqETjGo0qK5PE4G3cuyfK7h1Z8edOUk8M/km+wl6s3s
9g==
-----END CERTIFICATE-----
---
Server certificate
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private 
Organization/serialNumber=2871352/C=US/postalCode=95125/ST=California/L=San 
Jose/street=2145 Hamilton Ave/O=eBay Inc./OU=Site 
Operations/CN=signin.ebay.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
CA
---
No client certificate CA names sent
---
SSL handshake has read 5083 bytes and written 471 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : RC4-MD5
    Session-ID: 
D8D8283C37E4EB38A5B6EC27343F338C18973632AEA8F856A9EFB9F7A5091325
    Session-ID-ctx: 
    Master-Key: 
873A7BBF94734F7DEAC817B10CB49F8203294A27418B31E8F035A91EF936466D367974DFC63BBD9C4BACC1D4BC79A204
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1315174082
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE



As you can see, it cannot verify the certificate.

Now lets do it manually:
I copied the three certificates to the files chain-0, chain-1 and chain-2.

$ openssl x509 -noout -subject -issuer -in chain-0
subject= 
/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private 
Organization/serialNumber=2871352/C=US/postalCode=95125/ST=California/L=San 
Jose/street=2145 Hamilton Ave/O=eBay Inc./OU=Site 
Operations/CN=signin.ebay.com
issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
CA

$ openssl x509 -noout -subject -issuer -in chain-1
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at 
https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL 
CA
issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, 
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5

$ openssl x509 -noout -subject -issuer -in chain-2
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5
issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification 
Authority


$ openssl verify -CApath /etc/ssl/certs/ chain-0
chain-0: 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, 
businessCategory = Private Organization, serialNumber = 2871352, C = US, 
postalCode = 95125, ST = California, L = San Jose, street = 2145 Hamilton Ave, 
O = eBay Inc., OU = Site Operations, CN = signin.ebay.com
error 20 at 0 depth lookup:unable to get local issuer certificate

$ openssl verify -CAfile chain-1 chain-0
chain-0: OK

$ openssl verify -CApath /etc/ssl/certs/ chain-1
chain-1: OK

$ openssl verify -CAfile chain-2 chain-1
chain-1: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public 
Primary Certification Authority - G5
error 2 at 1 depth lookup:unable to get issuer certificate

$ openssl verify -CApath /etc/ssl/certs/ chain-2
chain-2: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 
2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public 
Primary Certification Authority - G5
error 20 at 0 depth lookup:unable to get local issuer certificate


So chain-0 can be verified by chain-1 and chain-1 can be verified by the 
system installed CAs.

The problem is that
VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
got updated in ca-certificates 20110421.
And the last certificated sent by the server (chain-2) is the old version of 
this same certificate.

$ openssl x509 -noout -subject -issuer -in 
/etc/ssl/certs/VeriSign_Class_3_Public_Primary_Certification_Authority_-
_G5.pem 
subject= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5
issuer= /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, 
Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary 
Certification Authority - G5


So it seems like openssl first uses the certificate that's send from the 
server, but then fails to verify it (as it can't find an appropriate root 
certificate). Instead it should ignore the sent certificate and use the one 
that is installed on the local system and thus trusted as root certificate.


This behaviour is especially a problem for me since konqueror uses openssl to 
verify the certificates and there are quite some sites that deliver the old 
certificate in the chain.


Also note that gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p 
443 signin.ebay.de" does verify the certificate just fine.



Feel free to ask me if you need any additional information.


--- System information. ---
Architecture: amd64
Kernel:       Linux 3.0.0-1-amd64

Debian Release: wheezy/sid
  500 testing         mirror.stusta.mhn.de 

--- Package information. ---
Depends            (Version) | Installed
============================-+-=============
libc6               (>= 2.7) | 2.13-16
libssl1.0.0       (>= 1.0.0) | 1.0.0d-3
zlib1g          (>= 1:1.1.4) | 1:1.2.3.4.dfsg-3


Package's Recommends field is empty.

Suggests             (Version) | Installed
==============================-+-===========
ca-certificates                | 20110502+nmu1

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

--- Begin Message ---

To: 640457-done@bugs.debian.org

Subject: Closing as no longer relevant

From: Maximilian Engelhardt <maxi@daemonizer.de>

Date: Thu, 10 Apr 2025 22:01:53 +0200

Message-id: <7808619.GXAFRqVoOG@localhost>
Closing as this is very likely no longer an issue for modern konqueror.

Also qtwebengine is listed as "No security support upstream and backports not 
feasible, only for use on trusted content" in debian-security-support [1], 
which makes this even less of a problem.

Thanks.

[1] https://tracker.debian.org/pkg/debian-security-support
Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Reply to:

Prev by Date: Bug#891255: marked as done ([src:kimap] Please enable TLSv1.2 for imap connections in stretch)
Next by Date: Bug#1102614: libqt6core6t64: uses wireless extensions which will stop working for Wi-Fi 7 hardware
Previous by thread: Bug#891255: marked as done ([src:kimap] Please enable TLSv1.2 for imap connections in stretch)
Next by thread: Bug#1102614: libqt6core6t64: uses wireless extensions which will stop working for Wi-Fi 7 hardware
Index(es):
- Date
- Thread