Bug 201831 - There is no "Thawte Premium Server CA" in the security/ca_root_nss
Summary: There is no "Thawte Premium Server CA" in the security/ca_root_nss
Status: Closed Works As Intended
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-gecko (Nobody)
URL: https://blog.mozilla.org/security/201...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-24 14:38 UTC by v.chernyadev
Modified: 2015-07-24 15:48 UTC (History)
0 users

See Also:
jbeich: maintainer-feedback+


Attachments
NSS with CKBI 1.98 (1.04 KB, patch)
2015-07-24 15:48 UTC, Jan Beich
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description v.chernyadev 2015-07-24 14:38:13 UTC
There is no "Thawte Premium Server CA" in the security/ca_root_nss, so wget and curl cannot connect to the host by SSL.

Example:
# openssl s_client -connect 212.158.160.124:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=www.tradesoft.ru
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Comment 1 Jan Beich freebsd_committer freebsd_triage 2015-07-24 15:45:59 UTC
Mozilla removed Thawte Premium Server CA because it uses 1024 RSA key size. If you really want such roots try using CKBI 1.98 flavor.

It works fine with OpenSSL 1.0.1p on 11.0-CURRENT or security/openssl port. openssl(1) there also no longer requires -CAfile to verify certs by default.

$ openssl s_client -connect 212.158.160.124:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2
verify return:1
depth=0 CN = www.tradesoft.ru
verify return:1
---
Certificate chain
 0 s:/CN=www.tradesoft.ru
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Comment 2 Jan Beich freebsd_committer freebsd_triage 2015-07-24 15:48:23 UTC
Created attachment 159168 [details]
NSS with CKBI 1.98

Try applying this patch. It tracks NSS-3.19.1 because CA roots haven't changed in NSS-3.19.2.