Package: libssl0.9.8 Version: 0.9.8k-4 Severity: important With the above version of libssl0.9.8, I get the following error output when trying to run heirloom-mailx:
> % heirloom-mailx > Error with certificate at depth: 2 issuer = /C=US/O=VeriSign, Inc./OU=Class 3 > Public Primary Certification Authority subject = /C=US/O=VeriSign, > Inc./OU=Class 3 Public Primary Certification Authority > err 7: certificate signature failure > Continue (y/n)? n > could not initiate SSL/TLS connection: error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest algorithm This does not occur if I revert back to libssl0.9.8 version 0.9.8k-1. I believe that I can reproduce the error with the "openssl" command-line program, using the command: % openssl s_client -connect calmail.berkeley.edu:143 -CAfile /etc/ssl/certs/ca-certificates.crt -starttls imap I have attached the output of running the above command with versions 0.9.8k-4 and 0.9.8k-1 of libssl0.9.8. (In both cases /usr/bin/openssl was from openssl version 0.9.8k-4.) -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.30 Locale: LANG=C, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages libssl0.9.8 depends on: ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy ii libc6 2.9-24 GNU C Library: Shared libraries ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime libssl0.9.8 recommends no packages. libssl0.9.8 suggests no packages. -- debconf information: libssl0.9.8/restart-failed: libssl0.9.8/restart-services:
% openssl s_client -connect calmail.berkeley.edu:143 -CAfile /etc/ssl/certs/ca-certificates.crt -starttls imap CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA verify return:1 depth=0 /C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFDTCCA/WgAwIBAgIQeUjBtO4cPDb1XLwR2sFhrTANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA3MDkyNDAwMDAw MFoXDTA5MTAxMzIzNTk1OVowgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMREwDwYDVQQHFAhCZXJrZWxleTEUMBIGA1UEChQLVUMgQmVya2VsZXkx FDASBgNVBAsUC0lTVC1JUy1JQUFTMR0wGwYDVQQDFBRjYWxtYWlsLmJlcmtlbGV5 LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArIbXliYjHAQOEy4yi/Bq uiSJg/5Na/B7Id8PKV5mIv87VDSbemOakvKU+i+XCViHnwjqlkja/SJkEAEgUgom IKyrsdcGtJUxbpV92KJy+8QvT34mKTOPIWIqFhGpogXIxZ1xVm97LIWUHzwolzMF 9YOkt03OMRRgxTOmwTOL0BMCAwEAAaOCAdMwggHPMAkGA1UdEwQCMAAwCwYDVR0P BAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJTZWN1cmUtY3JsLnZl cmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG +EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y cGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFG/s r6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAChjdodHRwOi8vU1ZS U2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAwNS1haWEuY2VyMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoE FEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNv bS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAifpgIaLKrN5jKw9H0yCw Di2/a5QW6S0OCom08XqyZK9+crocSb8eJ8VRvAPSmjX3JH2YI9ax+Vs4oC/zDH25 bukDqih8MnOQfuBoGJpqbQB1mcXN+OqYjCdBgTO6CoR8yinpdH40z81ykPlBeJJB x9j6S3YoDDMmHDP79IgcWANTcMW7NN5zWBqQ0VawRSRZOsXMe+2TCCh3gpIzmzYP dfEtHhtF8drxljalCuwGY9DzXTcF71gu+3kc4S1VnL1ynBUqN5YetN91TNAgN38u 6+zEyKL/JkFvJpBuJxrQGl5N1G0AT5MvY073jlXSwQPvFJaKkeAM8lxsFwnvv6hT Pg== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 3630 bytes and written 354 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 6C4CDBA499897F824514138C17AC3E0EE436EB8EC60A219917A273D7AFA2ABE9 Session-ID-ctx: Master-Key: 4FE917EA10419AA67C808B3CBEEBA7B6780760C52CD260D8536176812A843BAC8F902FA4676DEDB6FFB4B03DBC3A6E47 Key-Arg : None Start Time: 1250383531 Timeout : 300 (sec) Verify return code: 0 (ok) --- . OK Completed DONE
% openssl s_client -connect calmail.berkeley.edu:143 -CAfile /etc/ssl/certs/ca-certificates.crt -starttls imap CONNECTED(00000003) depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify error:num=7:certificate signature failure verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFDTCCA/WgAwIBAgIQeUjBtO4cPDb1XLwR2sFhrTANBgkqhkiG9w0BAQUFADCB sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA3MDkyNDAwMDAw MFoXDTA5MTAxMzIzNTk1OVowgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp Zm9ybmlhMREwDwYDVQQHFAhCZXJrZWxleTEUMBIGA1UEChQLVUMgQmVya2VsZXkx FDASBgNVBAsUC0lTVC1JUy1JQUFTMR0wGwYDVQQDFBRjYWxtYWlsLmJlcmtlbGV5 LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArIbXliYjHAQOEy4yi/Bq uiSJg/5Na/B7Id8PKV5mIv87VDSbemOakvKU+i+XCViHnwjqlkja/SJkEAEgUgom IKyrsdcGtJUxbpV92KJy+8QvT34mKTOPIWIqFhGpogXIxZ1xVm97LIWUHzwolzMF 9YOkt03OMRRgxTOmwTOL0BMCAwEAAaOCAdMwggHPMAkGA1UdEwQCMAAwCwYDVR0P BAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJTZWN1cmUtY3JsLnZl cmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG +EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y cGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFG/s r6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYY aHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAChjdodHRwOi8vU1ZS U2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAwNS1haWEuY2VyMG4G CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoE FEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNv bS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAifpgIaLKrN5jKw9H0yCw Di2/a5QW6S0OCom08XqyZK9+crocSb8eJ8VRvAPSmjX3JH2YI9ax+Vs4oC/zDH25 bukDqih8MnOQfuBoGJpqbQB1mcXN+OqYjCdBgTO6CoR8yinpdH40z81ykPlBeJJB x9j6S3YoDDMmHDP79IgcWANTcMW7NN5zWBqQ0VawRSRZOsXMe+2TCCh3gpIzmzYP dfEtHhtF8drxljalCuwGY9DzXTcF71gu+3kc4S1VnL1ynBUqN5YetN91TNAgN38u 6+zEyKL/JkFvJpBuJxrQGl5N1G0AT5MvY073jlXSwQPvFJaKkeAM8lxsFwnvv6hT Pg== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 3630 bytes and written 354 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 51C807DC5B93C1B9F97C3C8F279D8DCC5CCD8F35B110654777F6A4B88CF1A299 Session-ID-ctx: Master-Key: 32CF179DEA51737C5509D335AFD8E6D5DEBE449FA08259613BD78B41B8EB03E9CD8F3D101637D105C9EF7C8124915C57 Key-Arg : None Start Time: 1250383611 Timeout : 300 (sec) Verify return code: 7 (certificate signature failure) --- . OK Completed DONE
