Bug#775932: Certificate from msm.mitre.org (Entrust) not recognized by some programs.
On 01/22/2015 09:45 AM, Carlos Alberto Lopez Perez wrote: So Why iceweasel, chromium or wget accept this certificate as valid? Do you have any idea? Unfortunately, I haven't had the time to investigate the various software you have listed, nor do I see much personal time to do so in the near future. Not all software in Debian that uses SSL/TLS directly uses ca-certificates, so that would be your first step to troubleshooting. -- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#775932: Certificate from msm.mitre.org (Entrust) not recognized by some programs.
On 22/01/15 15:39, Michael Shuler wrote: Control: tags -1 + wontfix On 01/21/2015 11:18 AM, Carlos Alberto Lopez Perez wrote: - Certificate[3] info: - subject `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', issuer `C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority', RSA key 1024 bits, signed using RSA-SHA1, activated `1999-05-25 16:09:40 UTC', expires `2019-05-25 16:39:40 UTC', SHA-1 fingerprint `99a69be61afe886b4d2b82007cb854fc317e1539' - Status: The certificate is NOT trusted. The certificate issuer is unknown. CN=Entrust.net Secure Server Certification Authority' SHA-1 fingerprint `99a69be61afe886b4d2b82007cb854fc317e1539' This CA (as well as all other 1024-bit CAs) was removed from the Mozilla certificate bundle. You will find this CA removal listed in the ca-certificates 20140927 release changelog. https://bugzilla.mozilla.org/show_bug.cgi?id=936304 http://anonscm.debian.org/cgit/collab-maint/ca-certificates.git/tree/debian/changelog?id=debian/20140927 So Why iceweasel, chromium or wget accept this certificate as valid? Do you have any idea? signature.asc Description: OpenPGP digital signature
Bug#775932: Certificate from msm.mitre.org (Entrust) not recognized by some programs.
Package: ca-certificates Version: 20141019 Hi, On a Debian/testing system the certificate from https://msm.mitre.org (signed by Entrust) is not recognized by some system programs, meanwhile it is recognized by others. I will list some examples where it is not recognized first, and then some examples where it is recognized. Not recognized: $ openssl s_client -CApath /etc/ssl/certs -connect msm.mitre.org:443 CONNECTED(0004) depth=3 C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Secure Server Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/ST=Virginia/L=McLean/O=The Mitre Coproration/CN=msm.mitre.org i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C 1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) 2 s:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority 3 s:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIIGXTCCBUWgAwIBAgIETCKi8jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0 Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xNDA0MDkxMzEyNDZaFw0xNjExMDEy MDAzNTJaMGkxCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhWaXJnaW5pYTEPMA0GA1UE BxMGTWNMZWFuMR4wHAYDVQQKExVUaGUgTWl0cmUgQ29wcm9yYXRpb24xFjAUBgNV BAMTDW1zbS5taXRyZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDC5h1/pbx6i+/vwCFPEOARzyMZEMC0I69XV00XeR6HDw6RehcXbDjg8fKA351U t5N6+SZoRg/yCrodNv4EJ5vjqR9eFS1W/wEMjP1DseU3clJPKiH7s0AA/46rUQty EnH9FckjvvqrrdUJu7ipGXHRGOUv7tsPrC2BJDMwX4Qo+48ggivp2XUdreMW8toT uu6W6mslpCdyoKoeTH52PsOyGr/fa/PZMP7NhUhklRRP3hl7wODWawSnCZWr7QtV rPRL5tGJNQIYBezzTMY+gA8TdJXKJBSiVlW9mqqRxSKaF4Z9uxhn6zbK+3ZnlaS2 p2yW77PWXOMedM9veDluL1dNAgMBAAGjggLCMIICvjALBgNVHQ8EBAMCBaAwHQYD VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0 dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZAYIKwYBBQUHAQEEWDBW MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAvBggrBgEFBQcw AoYjaHR0cDovL2FpYS5lbnRydXN0Lm5ldC8yMDQ4LWwxYy5jZXIwSgYDVR0gBEMw QTA1BgkqhkiG9n0HSwIwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0 Lm5ldC9ycGEwCAYGZ4EMAQICMIIBXAYDVR0RBIIBUzCCAU+CDW1zbS5taXRyZS5v cmeCDm92YWwubWl0cmUub3Jngg9jYXBlYy5taXRyZS5vcmeCDWNwZS5taXRyZS5v cmeCH3JlY29tbWVuZGF0aW9udHJhY2tlci5taXRyZS5vcmeCDGJlLm1pdHJlLm9y Z4IOb2NybC5taXRyZS5vcmeCDWNtZS5taXRyZS5vcmeCDnN0aXgubWl0cmUub3Jn gh5iZW5jaG1hcmtkZXZlbG9wbWVudC5taXRyZS5vcmeCDWNlZS5taXRyZS5vcmeC DWN3ZS5taXRyZS5vcmeCDWNjZS5taXRyZS5vcmeCE2JlbmNobWFyay5taXRyZS5v cmeCD3RheGlpLm1pdHJlLm9yZ4IObWFlYy5taXRyZS5vcmeCDWNyZi5taXRyZS5v cmeCD2N5Ym94Lm1pdHJlLm9yZ4INY3ZlLm1pdHJlLm9yZzAfBgNVHSMEGDAWgBQe 8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQUJ82NEIJBFe+UxCeL9o+VxIq3 Za8wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAKZ0wed0DChKXWIBCORJe nEWomevUXQoAxJ5VLg4rldtw+lWTU46Vpr9v2ojrxYP6+kcoJda7wIshQ6n+0LVK +LHCt1L1pQVNHQ9uGmS5dZZseQruCrK9e2FXCQxhTMQc/IQkBW2oVu/7R9jk5B+9 ZiCAUetz0MxJdgNNA9ND81zodTRNnrB8eIUalgEn31Gc0Ut7dbBDvuNpu+DwalWs +St5aqFMa9XIKoxZ3C5BNo/lkU0lGP4fx/IQSFqQxsZpSAvH367aG57zhYJEdhwg EWWBU/vvza2r5zMmW0TIbOOahY5uQvBNw6/19XLnfdNONqw9GeoR1yNw8AO+gRdv 9g== -END CERTIFICATE- subject=/C=US/ST=Virginia/L=McLean/O=The Mitre Coproration/CN=msm.mitre.org issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C --- No client certificate CA names sent --- SSL handshake has read 5688 bytes and written 623 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: AES256-GCM-SHA384 Session-ID: 1CE5751D9B59229F85736A94BF1A7B74B1782F5FB5A8697332616A52F816CE9C Session-ID-ctx: Master-Key: