Comment 1 Jan Beich 2015-07-24 15:45:59 UTC

Mozilla removed Thawte Premium Server CA because it uses 1024 RSA key size. If you really want such roots try using CKBI 1.98 flavor.

It works fine with OpenSSL 1.0.1p on 11.0-CURRENT or security/openssl port. openssl(1) there also no longer requires -CAfile to verify certs by default.

$ openssl s_client -connect 212.158.160.124:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL CA - G2
verify return:1
depth=0 CN = www.tradesoft.ru
verify return:1
---
Certificate chain
 0 s:/CN=www.tradesoft.ru
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
 3 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---

Comment 2 Jan Beich 2015-07-24 15:48:23 UTC

Created attachment 159168 [details]
NSS with CKBI 1.98

Try applying this patch. It tracks NSS-3.19.1 because CA roots haven't changed in NSS-3.19.2.