On Mon, Jan 25, 2016 at 08:12:03PM +0100, gregor herrmann wrote: > On Sun, 24 Jan 2016 19:29:14 -0600, Michael Shuler wrote:
> > $ openssl s_client -CApath /etc/ssl/certs -connect api.twillio.com:443 The report is about api.twilio.com, not api.twillio.com. It's perfectly reproducible for me, with both libwww-perl and curl. % curl https://api.twilio.com/ curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: http://curl.haxx.se/docs/sslcerts.html The certificate chain returned by the site is 0 s:/C=US/ST=California/L=San Francisco/O=Twilio, Inc./OU=api/CN=*.twilio.com i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-ser...@thawte.com 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-ser...@thawte.com i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-ser...@thawte.com and the last one ("Thawte Premium Server CA") was apparently removed in the ca-certificates update. However, a self signed version of the previous certificate in the chain, "thawte Primary Root CA", is still present AFAICS. What I don't quite understand is why this works on unstable (ca-certificates 20160104) but not stable, with no differences in the relevant certificates that I can see. Perhaps openssl is behaving differently? Hope this helps a bit, -- Niko Tyni nt...@debian.org