Package: libssl1.0.0 Version: 1.0.0d-1 Severity: important It seems all the certificates in /etc/ssl/certs have become pretty much useless now, because just about every connection fails either with error 20 (unable to get local issuer certificate) or error 19 (self signed certificate in certificate chain), like this:
,---- | $ openssl s_client -CApath /etc/ssl/certs/ -connect bugs.freedesktop.org:443 | CONNECTED(00000003) | depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA | verify error:num=20:unable to get local issuer certificate | [...] | $ openssl s_client -CApath /etc/ssl/certs/ -connect alioth.debian.org:443 | CONNECTED(00000003) | depth=2 C = US, ST = Indiana, L = Indianapolis, O = Software in the Public Interest, OU = hostmaster, CN = Certificate Authority, emailAddress = hostmas...@spi-inc.org | verify error:num=19:self signed certificate in certificate chain | [...] `---- This broke my mail setup after today's binNMU of postfix which could not set up a verified connection to the relay host: ,---- | Apr 13 16:22:53 turtle postfix/smtp[1972]: setting up TLS connection to mail.gmx.net[213.165.64.21]:587 | Apr 13 16:22:53 turtle postfix/smtp[1972]: certificate verification | failed for mail.gmx.net[213.165.64.21]:587: untrusted issuer | /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting | cc/OU=Certification Services Division/CN=Thawte Premium Server | CA/emailAddress=premium-ser...@thawte.com | Apr 13 16:22:53 turtle postfix/smtp[1972]: Untrusted TLS connection | established to mail.gmx.net[213.165.64.21]:587: TLSv1 with cipher | DHE-RSA-AES256-SHA (256/256 bits) | Apr 13 16:22:53 turtle postfix/smtp[1972]: 88EFF3F328: Server certificate not trusted | Apr 13 16:22:53 turtle postfix/smtp[1972]: setting up TLS connection to mail.gmx.net[213.165.64.20]:587 | Apr 13 16:22:53 turtle postfix/smtp[1972]: certificate verification | failed for mail.gmx.net[213.165.64.20]:587: untrusted issuer | /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting | cc/OU=Certification Services Division/CN=Thawte Premium Server | CA/emailAddress=premium-ser...@thawte.com | Apr 13 16:22:53 turtle postfix/smtp[1972]: Untrusted TLS connection | established to mail.gmx.net[213.165.64.20]:587: TLSv1 with cipher | DHE-RSA-AES256-SHA (256/256 bits) | Apr 13 16:22:53 turtle postfix/smtp[1972]: 88EFF3F328: | to=<620...@bugs.debian.org>, relay=mail.gmx.net[213.165.64.20]:587, | delay=2.4, delays=0.3/0.87/1.2/0, dsn=4.7.5, status=deferred (Server | certificate not trusted) `---- Downgrading postfix to 2.8.2-1 "fixed" this. Needless to say, the openssl version in Squeeze shows no errors in the above examples either. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: i386 (x86_64) Kernel: Linux 2.6.39-rc3-nouveau (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libssl1.0.0 depends on: ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime libssl1.0.0 recommends no packages. libssl1.0.0 suggests no packages. -- debconf information: libssl1.0.0/restart-failed: libssl1.0.0/restart-services: -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
