Hodie VII Id. Aug. MMXI, Kamil Jońca scripsit: > I have weird problem with some sites using ssl. > Mozilla _can_ validate certificate but wget can't, and I don't know if > it is a debian bug or openssl. > Whole story begins at > http://lists.debian.org/debian-user/2011/06/msg00089.html
The certificate chain sent by the website is this: 0. s:/1.3.6.1.4.1.311.60.2.1.3=PL/2.5.4.15=Private Organization/serialNumber=0000008723/C=PL/postalCode=50-950/ST=Dolnoslaskie/L=Wroclaw/streetAddress=ul. Rynek 9/11/O=Bank Zachodni WBK S.A./OU=Obszar Operacji Bankowych/CN=www.centrum24.pl i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA issuer hash bae2cbd8/ac12bd91 1. s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 subject hash bae2cbd8/ac12bd91 issuer hash facacbc6/b204d74a 2. s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority subject hash facacbc6/b204d74a issuer hash 7651b327/415660c1 Your wget binary wants to validate the certificate sent in position 2, which is signed by a previous VeriSign Root CA. So it looks for a file or link named 415660c1.0 in the /usr/lib/ssl/certs/ directory, and can't find it. Are you sure it doesn't look for a file or link named b204d74a.0 in the same directory, after that? Normally, it should try to validate the position 1 certificate with its certificate store. -- Erwann ABALEA <erwann.aba...@keynectis.com> Département R&D KEYNECTIS 11-13 rue René Jacques - 92131 Issy les Moulineaux Cedex - France Tél.: +33 1 55 64 22 07 http://www.keynectis.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org