[Bug 314710] Re: ca-certificates differ from those provided by root CA
Closing. Downloaded upstream cert matches extracted cert, with the exception of carriage returns and no newline. mshuler@mana:~/tmp$ wget -q http://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Global_eBusiness_CA-1.pem mshuler@mana:~/tmp$ openssl x509 -text -noout -fingerprint -in Equifax_Secure_Global_eBusiness_CA-1.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Validity Not Before: Jun 21 04:00:00 1999 GMT Not After : Jun 21 04:00:00 2020 GMT Subject: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ba:e7:17:90:02:65:b1:34:55:3c:49:c2:51:d5: df:a7:d1:37:8f:d1:e7:81:73:41:52:60:9b:9d:a1: 17:26:78:ad:c7:b1:e8:26:94:32:b5:de:33:8d:3a: 2f:db:f2:9a:7a:5a:73:98:a3:5c:e9:fb:8a:73:1b: 5c:e7:c3:bf:80:6c:cd:a9:f4:d6:2b:c0:f7:f9:99: aa:63:a2:b1:47:02:0f:d4:e4:51:3a:12:3c:6c:8a: 5a:54:84:70:db:c1:c5:90:cf:72:45:cb:a8:59:c0: cd:33:9d:3f:a3:96:eb:85:33:21:1c:3e:1e:3e:60: 6e:76:9c:67:85:c5:c8:c3:61 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C X509v3 Subject Key Identifier: BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C Signature Algorithm: md5WithRSAEncryption 30:e2:01:51:aa:c7:ea:5f:da:b9:d0:65:0f:30:d6:3e:da:0d: 14:49:6e:91:93:27:14:31:ef:c4:f7:2d:45:f8:ec:c7:bf:a2: 41:0d:23:b4:92:f9:19:00:67:bd:01:af:cd:e0:71:fc:5a:cf: 64:c4:e0:96:98:d0:a3:40:e2:01:8a:ef:27:07:f1:65:01:8a: 44:2d:06:65:75:52:c0:86:10:20:21:5f:6c:6b:0f:6c:ae:09: 1c:af:f2:a2:18:34:c4:75:a4:73:1c:f1:8d:dc:ef:ad:f9:b3: 76:b4:92:bf:dc:95:10:1e:be:cb:c8:3b:5a:84:60:19:56:94: a9:55 SHA1 Fingerprint=7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45 mshuler@mana:~/tmp$ openssl x509 -text -noout -fingerprint -in /usr/share/ca-certificates/mozilla/Equifax_Secure_Global_eBusiness_CA.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Validity Not Before: Jun 21 04:00:00 1999 GMT Not After : Jun 21 04:00:00 2020 GMT Subject: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ba:e7:17:90:02:65:b1:34:55:3c:49:c2:51:d5: df:a7:d1:37:8f:d1:e7:81:73:41:52:60:9b:9d:a1: 17:26:78:ad:c7:b1:e8:26:94:32:b5:de:33:8d:3a: 2f:db:f2:9a:7a:5a:73:98:a3:5c:e9:fb:8a:73:1b: 5c:e7:c3:bf:80:6c:cd:a9:f4:d6:2b:c0:f7:f9:99: aa:63:a2:b1:47:02:0f:d4:e4:51:3a:12:3c:6c:8a: 5a:54:84:70:db:c1:c5:90:cf:72:45:cb:a8:59:c0: cd:33:9d:3f:a3:96:eb:85:33:21:1c:3e:1e:3e:60: 6e:76:9c:67:85:c5:c8:c3:61 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C X509v3 Subject Key Identifier: BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C Signature Algorithm: md5WithRSAEncryption 30:e2:01:51:aa:c7:ea:5f:da:b9:d0:65:0f:30:d6:3e:da:0d: 14:49:6e:91:93:27:14:31:ef:c4:f7:2d:45:f8:ec:c7:bf:a2: 41:0d:23:b4:92:f9:19:00:67:bd:01:af:cd:e0:71:fc:5a:cf: 64:c4:e0:96:98:d0:a3:40:e2:01:8a:ef:27:07:f1:65:01:8a: 44:2d:06:65:75:52:c0:86:10:20:21:5f:6c:6b:0f:6c:ae:09: 1c:af:f2:a2:18:34:c4:75:a4:73:1c:f1:8d:dc:ef:ad:f9:b3: 76:b4:92:bf:dc:95:10:1e:be:cb:c8:3b:5a:84:60:19:56:94: a9:55 SHA1 Fingerprint=7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45 mshuler@mana:~/tmp$ diff --strip-trailing-cr
[Bug 314710] Re: ca-certificates differ from those provided by root CA
Is this still a problem with ca-certificates (20110421) in Oneiric? This version recently got updates for all Mozilla certdata. ** Changed in: ca-certificates (Ubuntu) Status: New = Incomplete ** Changed in: ca-certificates (Ubuntu) Assignee: (unassigned) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/314710 Title: ca-certificates differ from those provided by root CA -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 314710] Re: ca-certificates differ from those provided by root CA
On Wed, Jan 07, 2009 at 07:08:28PM -, Piotr Czachur wrote: Btw. What you mean by so obviously it's not RFC-compliant in there? Why certs come from Mozilla truststore are considered to be non-RFC-compilant? As I only dump the certificate blobs from certdata.txt out of the nss CSS (Mozilla) this single certificate (or perhaps more?) is obviously in a non-compliant form in there. It would be nice if you could look if there are more non-compliant certs in /usr/share/ca-certificates/mozilla and raise it with the mozilla devs in their bugtracker. But be aware that they are usually slow on such matters. On the other hand two alternative SSL implementations (openssl and nss) are confirmed to work with it and I'd bet that gnutls does too. What I could do, of course, is adjusting the dumping script to rewrite the base64 lines. Do you think it's desireable? I *guess* that the certificate in question once matched the CA's copy but that they were pointed at the non-conformant file. I'd normally expect that what I get from the truststore is equivalent to that what the CA ships, too. Then we shouldn't do transformations on the certificates again. But I'm open for both, I think. Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Release Assistant `. `' xmpp:p...@0x539.de Stable Release Manager `-finger pkern/k...@db.debian.org -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 314710] Re: ca-certificates differ from those provided by root CA
RE: YaSSL doesn't support certs from mozilla (New) By: Todd Ouska (touskaProject Admin) - 2009-01-07 21:35 Hi, Actually, looking closer at your other post on launchpad you've already identified the problem. The PEM formatting of the ubuntu provided cert is incorrect. Each line except the last should be 64 characters (not 60). It's interesting to note that Mozilla correctly exported the PEM file for me. Not sure how they're doing it or which version of the truststore they're using. Thanks for the report. -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 314710] Re: ca-certificates differ from those provided by root CA
Pasting new comments from http://sourceforge.net/forum/forum.php?thread_id=2817179forum_id=439591 RE: YaSSL doesn't support certs from mozilla (New) By: Todd Ouska (touskaProject Admin) - 2009-01-07 21:17 Hi, Yes, yaSSL supports PEM certificates from the Mozilla truststore. The problem I'm getting in duplicating this report is that both geotrust.com and Firefox 3.0.5 (Mozilla 5.0) are giving me the same cert. MD5: 6c4c4791d77d8848f0907511a0bf686e The same one you're getting from geotrust.com. Can you send me the ubuntu cert to todd at yassl.com . And I'll be happy to look at it. -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 314710] Re: ca-certificates differ from those provided by root CA
On Thu, Jan 08, 2009 at 08:52:51AM -, Piotr Czachur wrote: Pasting new comments from http://sourceforge.net/forum/forum.php?thread_id=2817179forum_id=439591 RE: YaSSL doesn't support certs from mozilla (New) By: Todd Ouska (touskaProject Admin) - 2009-01-07 21:17 Hi, Yes, yaSSL supports PEM certificates from the Mozilla truststore. The problem I'm getting in duplicating this report is that both geotrust.com and Firefox 3.0.5 (Mozilla 5.0) are giving me the same cert. MD5: 6c4c4791d77d8848f0907511a0bf686e The same one you're getting from geotrust.com. Can you send me the ubuntu cert to todd at yassl.com . And I'll be happy to look at it. Cert attached. It looks like Mozilla's nss converts the internal representation to export a valid certificate with the appropriate line length. When I export the PEM from the certdata.txt included in the source I get line lengths of four chars less in the base64 data. If I just join the lines and re-wrap them at 64 the diff to the cert file from the CA is empty. So the only problem here is that yassl cannot cope with non-RFC- compliant line lengths in the base64 data and Mozilla should fix the certificate data in the source. Kind regards, Philipp Kern ** Attachment added: Equifax_Secure_Global_eBusiness_CA.crt http://launchpadlibrarian.net/21005515/Equifax_Secure_Global_eBusiness_CA.crt -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 314710] Re: ca-certificates differ from those provided by root CA
** Description changed: Binary package hint: ca-certificates Ubuntu 8.10 Package: ca-certificates 20080514-0ubuntu1.1 As example I will use just one certificate provided by package ca- certificates, but the problem concerns more of them. Those certificates (pasted a few lines below) differ only in line length, content is the same. + Debian-provided cert has 60-chars lines, and the one downloaded via web has 64-chars lines, just like RFC 1421 suggests: + To represent the encapsulated text of a PEM message, the encoding function's output is delimited into text lines (using local conventions), with each line except the last containing exactly 64 printable characters and the final line containing 64 or fewer printable characters. + + Command `openssl x509 -in crt -text -noout` prints exactly same output for both certs. ...but when use for mySQL server (+yassl) certificate validation on client's side (mysql ... --ssl-verify-server-cert) *only* Equifax_Secure_Global_eBusiness_CA-1.cer success. For debian provided cert I get SSL Connection error, which means server certificete doesn't validate or other error with certificate. - Shouldn't ubuntu-provided certificate be exactly the same as provided by - root CA? It would prevent from errors I just mentioned. + Shouldn't ubuntu-provided certificate be exactly the same as provided by root CA and be valid with RFC1421? + It would prevent from errors I just mentioned. + Here are both certificates: Equifax_Secure_Global_eBusiness_CA-1.cer (downloaded from http://www.geotrust.com/resources/root-certificates/) -BEGIN CERTIFICATE- MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc 58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/ o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv 8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV -END CERTIFICATE- Equifax_Secure_Global_eBusiness_CA.crt (shipped with ubuntu/ca-certificates) -BEGIN CERTIFICATE- MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJV UzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1 aWZheCBTZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0 MDAwMFoXDTIwMDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT E0VxdWlmYXggU2VjdXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJl IEdsb2JhbCBlQnVzaW5lc3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAuucXkAJlsTRVPEnCUdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQy td4zjTov2/KaelpzmKNc6fuKcxtc58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORR OhI8bIpaVIRw28HFkM9yRcuoWcDNM50/o5brhTMhHD4ePmBudpxnhcXIw2EC AwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQFMAMBAf8w HwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0OBBYEFL6o oHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUAA4GBADDiAVGqx+pf 2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkAZ70Br83gcfxa z2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv8qIYNMR1 pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV -END CERTIFICATE- -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 314710] Re: ca-certificates differ from those provided by root CA
** Description changed: Binary package hint: ca-certificates Ubuntu 8.10 Package: ca-certificates 20080514-0ubuntu1.1 As example I will use just one certificate provided by package ca- certificates, but the problem concerns more of them. Those certificates (pasted a few lines below) differ only in line length, content is the same. Debian-provided cert has 60-chars lines, and the one downloaded via web has 64-chars lines, just like RFC 1421 suggests: To represent the encapsulated text of a PEM message, the encoding function's output is delimited into text lines (using local conventions), with each line except the last containing exactly 64 printable characters and the final line containing 64 or fewer printable characters. Command `openssl x509 -in crt -text -noout` prints exactly same output for both certs. - ...but when use for mySQL server (+yassl) certificate validation on client's side (mysql ... --ssl-verify-server-cert) *only* Equifax_Secure_Global_eBusiness_CA-1.cer success. For debian provided cert I get SSL Connection error, which means server certificete doesn't validate or other error with certificate. + So far, all seem to be fine, but ...but for example when I use these CA certs for mySQL server (with yassl) certificate validation on client's side (mysql ... --ssl-verify-server-cert) *only* Equifax_Secure_Global_eBusiness_CA-1.cer success. For debian provided cert I get SSL Connection error, which means server certificete doesn't validate or other error with certificate. Shouldn't ubuntu-provided certificate be exactly the same as provided by root CA and be valid with RFC1421? It would prevent from errors I just mentioned. Here are both certificates: Equifax_Secure_Global_eBusiness_CA-1.cer (downloaded from http://www.geotrust.com/resources/root-certificates/) -BEGIN CERTIFICATE- MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc 58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/ o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv 8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV -END CERTIFICATE- Equifax_Secure_Global_eBusiness_CA.crt (shipped with ubuntu/ca-certificates) -BEGIN CERTIFICATE- MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJV UzEcMBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1 aWZheCBTZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0 MDAwMFoXDTIwMDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoT E0VxdWlmYXggU2VjdXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJl IEdsb2JhbCBlQnVzaW5lc3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEAuucXkAJlsTRVPEnCUdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQy td4zjTov2/KaelpzmKNc6fuKcxtc58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORR OhI8bIpaVIRw28HFkM9yRcuoWcDNM50/o5brhTMhHD4ePmBudpxnhcXIw2EC AwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQFMAMBAf8w HwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1draGwwHQYDVR0OBBYEFL6o oHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUAA4GBADDiAVGqx+pf 2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkAZ70Br83gcfxa z2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv8qIYNMR1 pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV -END CERTIFICATE- ** Description changed: Binary package hint: ca-certificates Ubuntu 8.10 Package: ca-certificates 20080514-0ubuntu1.1 As example I will use just one certificate provided by package ca- certificates, but the problem concerns more of them. Those certificates (pasted a few lines below) differ only in line length, content is the same. Debian-provided cert has 60-chars lines, and the one downloaded via web has 64-chars lines, just like RFC 1421 suggests: To represent the encapsulated text of a PEM message, the encoding function's output is delimited into text lines (using local conventions), with each line except the last containing exactly 64 printable characters and the final line containing 64 or fewer printable characters. Command `openssl x509 -in crt -text -noout` prints exactly same output for both certs. - So far, all seem to be fine, but ...but for example when I use these CA certs for mySQL server (with yassl) certificate validation on client's side (mysql ... --ssl-verify-server-cert) *only*
[Bug 314710] Re: ca-certificates differ from those provided by root CA
Well, openssl reads the PEM blob just fine. In fact the blob comes verbatim from the Mozilla truststore (which is exploded into various PEM files at buildtime), so obviously it's not RFC-compliant in there. $ openssl x509 -text -noout -in /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Validity Not Before: Jun 21 04:00:00 1999 GMT Not After : Jun 21 04:00:00 2020 GMT Subject: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global eBusiness CA-1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:ba:e7:17:90:02:65:b1:34:55:3c:49:c2:51:d5: df:a7:d1:37:8f:d1:e7:81:73:41:52:60:9b:9d:a1: 17:26:78:ad:c7:b1:e8:26:94:32:b5:de:33:8d:3a: 2f:db:f2:9a:7a:5a:73:98:a3:5c:e9:fb:8a:73:1b: 5c:e7:c3:bf:80:6c:cd:a9:f4:d6:2b:c0:f7:f9:99: aa:63:a2:b1:47:02:0f:d4:e4:51:3a:12:3c:6c:8a: 5a:54:84:70:db:c1:c5:90:cf:72:45:cb:a8:59:c0: cd:33:9d:3f:a3:96:eb:85:33:21:1c:3e:1e:3e:60: 6e:76:9c:67:85:c5:c8:c3:61 Exponent: 65537 (0x10001) X509v3 extensions: Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C X509v3 Subject Key Identifier: BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C Signature Algorithm: md5WithRSAEncryption 30:e2:01:51:aa:c7:ea:5f:da:b9:d0:65:0f:30:d6:3e:da:0d: 14:49:6e:91:93:27:14:31:ef:c4:f7:2d:45:f8:ec:c7:bf:a2: 41:0d:23:b4:92:f9:19:00:67:bd:01:af:cd:e0:71:fc:5a:cf: 64:c4:e0:96:98:d0:a3:40:e2:01:8a:ef:27:07:f1:65:01:8a: 44:2d:06:65:75:52:c0:86:10:20:21:5f:6c:6b:0f:6c:ae:09: 1c:af:f2:a2:18:34:c4:75:a4:73:1c:f1:8d:dc:ef:ad:f9:b3: 76:b4:92:bf:dc:95:10:1e:be:cb:c8:3b:5a:84:60:19:56:94: a9:55 $ md5sum /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem cad53d7b8b6d076f95d5cd23cac6b626 /etc/ssl/certs/Equifax_Secure_Global_eBusiness_CA.pem -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 314710] Re: ca-certificates differ from those provided by root CA
Hello! Point is that some applications don't support non-RFC-compliant certificates. My first *guess* is default MySQL SSL implementation - yassl - which is compiled into MySQL binary provided by MySQL, and also debian-like operating systems. Help me to decide what to do further with this issue, I'm really not sure which door to knock at: - debian/ubuntu ca-certificates maintainers - yassl devs - mozilla devs Btw. What you mean by so obviously it's not RFC-compliant in there? Why certs come from Mozilla truststore are considered to be non-RFC-compilant? -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 314710] Re: ca-certificates differ from those provided by root CA
I created thread concerning this issue on YaSSL developers forum: https://sourceforge.net/forum/forum.php?thread_id=2817179forum_id=439591 -- ca-certificates differ from those provided by root CA https://bugs.launchpad.net/bugs/314710 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs