https://bugzilla.wikimedia.org/show_bug.cgi?id=41437
Jimmy Xu <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #13 from Jimmy Xu <[email protected]> 2012-11-30 13:38:33 UTC --- (In reply to comment #12) > RT #3803 resolved, https://gerrit.wikimedia.org/r/#/c/30307/ merged. > Closing too, thanks for the ping. IMHO the diff doesn't look like a fix :( If my understanding is correct, currently the certificate chain would let OpenSSL fail to verify the server certificate: $ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.wikidata.org:443 CONNECTED(00000003) depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org verify error:num=27:certificate not trusted verify return:1 depth=0 C = US, ST = California, L = San Francisco, O = "Wikimedia Foundation, Inc.", CN = *.wikidata.org verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 1 s:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA i:/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation/CN=Wikimedia CA ^^^ This is wrong. It should be the issuer for cert 0, not a random CA that has nothing to do with the previous cert. --- Server certificate -----BEGIN CERTIFICATE----- [...cut...] -----END CERTIFICATE----- subject=/C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikidata.org issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3 --- No client certificate CA names sent --- SSL handshake has read 3159 bytes and written 542 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA [...cut...] Verify return code: 21 (unable to verify the first certificate) --- QUIT DONE $ Reopening again. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
