Bug 1850306

Created attachment 1698520 [details]
SSL Labs Scan Report

Created attachment 1698520 [details]
SSL Labs Scan Report

Description of problem:
The "USERTrust RSA Certification Authority" CA certificate expired on 30 May 2020.  This certificate has been replaced, however OpenSSL 1.0.2 fails to verify the chain if the expired CA certificate remains in the trust store, as both certificates share the same identifier, "53:79:BF:5A:AA:2B:4A:CF:54:80:E1:D8:9B:C0:9D:F2:B2:03:66:CB".
      
Expired Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            13:ea:28:70:5b:f4:ec:ed:0c:36:63:09:80:61:43:36
    Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
        
        
Valid Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:fd:6d:30:fc:a3:ca:51:a8:1b:bc:64:0e:35:03:2d
    Signature Algorithm: sha384WithRSAEncryption
        Issuer: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
        Validity
            Not Before: Feb  1 00:00:00 2010 GMT
            Not After : Jan 18 23:59:59 2038 GMT
        Subject: C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority


Version-Release number of selected component (if applicable):
ca-certificates-2020.2.41-70.0.el7_8.noarch
openssl-1.0.2k-19.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. openssl s_client -connect cnu.edu:443

Actual results:
# openssl s_client -connect cnu.edu:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify error:num=2:unable to get issuer certificate
issuer= C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
---
Certificate chain
 0 s:/C=US/postalCode=23606/ST=Virginia/L=Newport News/street=1 Avenue of the Arts/O=Christopher Newport University/OU=Information Technology Services/CN=cnu.edu
   i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHFjCCBf6gAwIBAgIQGdeNsrXdcBPgbGVYHeC0IjANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0yMDAzMTIwMDAwMDBaFw0yMjAzMTIy
MzU5NTlaMIHLMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMjM2MDYxETAPBgNVBAgT
CFZpcmdpbmlhMRUwEwYDVQQHEwxOZXdwb3J0IE5ld3MxHTAbBgNVBAkTFDEgQXZl
bnVlIG9mIHRoZSBBcnRzMScwJQYDVQQKEx5DaHJpc3RvcGhlciBOZXdwb3J0IFVu
aXZlcnNpdHkxKDAmBgNVBAsTH0luZm9ybWF0aW9uIFRlY2hub2xvZ3kgU2Vydmlj
ZXMxEDAOBgNVBAMTB2NudS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDn3riyB3z2p0RJ6ziCK+ZpYzhlbWg9+O+HonL34GOmbnSbwZxaCCUP/M9K
ZWIuFzht06TtT5v6yNfGu6r1fuHHtoyhtnlSR1UDQUm8McwZCkkYg02pqapAoMgg
rMvVGeDAFi3DPcS3GpDhJPMh2dkhUT7N6S6+xXx87xaKr1l2Ud+djK7du5YwO4yX
pJu56DQotZj4TgXDvpMLycP8Z/TrLGwygV1E1kp/cxmeiDiFUL+EGOyKetEmtPd+
EifRZOF9bDfuLizPFzhII5jaPryVIu5q7zov3mrUFHx+8OYbn8Ww4I9HQzK3iASA
LctJWx/ZebkzrLLd71WNGKqLyZo3AgMBAAGjggNIMIIDRDAfBgNVHSMEGDAWgBQe
BaN3j2yW4luHS6a0hqxxAAznODAdBgNVHQ4EFgQULy4OpSzRkoB5YaaVrXzV/GvV
VeowDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMGcGA1UdIARgMF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYI
KwYBBQUHAgEWNGh0dHBzOi8vd3d3LmluY29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRv
cnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQICMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6
Ly9jcmwuaW5jb21tb24tcnNhLm9yZy9JbkNvbW1vblJTQVNlcnZlckNBLmNybDB1
BggrBgEFBQcBAQRpMGcwPgYIKwYBBQUHMAKGMmh0dHA6Ly9jcnQudXNlcnRydXN0
LmNvbS9JbkNvbW1vblJTQVNlcnZlckNBXzIuY3J0MCUGCCsGAQUFBzABhhlodHRw
Oi8vb2NzcC51c2VydHJ1c3QuY29tMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgA
dQBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiFq/L8cP5tRwAAAXDQU5ggAAAEAwBG
MEQCICzuMKuyodvs/4+8L6MgDLAGaHIMG/j1ea85i+fUN0K2AiBJVUeVDlXcScIB
RQfpsHC6ncPRZ31PmT8KCw74MTKTYAB2AN+lXqtogk8fbK3uuF9OPlrqzaISpGpe
jjsSwCBEXCpzAAABcNBTmBgAAAQDAEcwRQIgWPf5vnIIAsAi3dzUHHsZRepuDLKC
9abMfA9wFTbS9vECIQDSN0OyNkIEHSsVZLBsxGbk04uSSAhNflBnqizg6Zkj/wB3
AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABcNBTmRMAAAQDAEgw
RgIhAIRgLWiZZ8D8LKoHpJO0lhraLdoVfBPZU00+IEXG7y6ZAiEAskj0z1Kb89jl
Idrwf4vzhx0lurzG8TqtD+5By7ih/bUwHQYDVR0RBBYwFIIHY251LmVkdYIJKi5j
bnUuZWR1MA0GCSqGSIb3DQEBCwUAA4IBAQAsRBrd7AD5FcvR3EMe5JLFuU5T492S
wd+QPoXnjkTCPMotq6R99fUn4WRGabDCBrBd8RRiglCJu2EwraHQfnKOqVxLquAD
Ak1jml4FAW38lhhl91cTzhpxVt1KrkkK/KZdUwFepCgsBqIzewu3ln+PHRvWHG31
CJYuaXsyv46bSrXF7vtCWvIJfxvS4i/Hr+kUVKW2Iai2nLqB6l/yFwyv32Ooivqm
aXmrQ9jDO5RQ9fzGvjmjw3Dne5mK6E1NV5scwv6Ra9E6J5B6qhCeSWgV+fQ255Yo
dAAmcaw83rQjDsRxLflAl0YFRsSf+NYfp8N1KjITtKHZD4QIgazlkOsr
-----END CERTIFICATE-----
subject=/C=US/postalCode=23606/ST=Virginia/L=Newport News/street=1 Avenue of the Arts/O=Christopher Newport University/OU=Information Technology Services/CN=cnu.edu
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 5368 bytes and written 539 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 412A0000FCDC7067731534D788387AFF2DA1D1ADAA06493D4A8E05D397A5B87D
    Session-ID-ctx: 
    Master-Key: FC26D40F697F4455DA2670C221631DC9361276854C29F5706864D9976386B078EB8F5CCEFA323D54875D8B56784240DD
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1592960455
    Timeout   : 300 (sec)
    Verify return code: 2 (unable to get issuer certificate)
---


Expected results:
    Verify return code: 0 (ok)


Additional info:
- Related to Bugzilla report 1842174 (https://bugzilla.redhat.com/show_bug.cgi?id=1842174), this intermediate/chain certificate expired on the same day as the "AddTrust External CA Root" CA.
- The certificate cannot be blacklisted (in any way that I know of), as it shares an identifier with its replacement.
- Running the update-ca-trust command restores the expired certificate.
- Tests were performed against multiple servers, including IIS, Active Directory, and Apache.  Even when the servers are configured to send a full chain to the client, the client still fails to validate the received certificate so long as the expired certificate is present in the CA bundle file.
- For me, the expired certificate happens to literally be the first certificate that appears in the bundle file.


Workaround:
- Commenting out or removing the expired certificate from the CA bundle file (/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem) resolves the isue for me on RHEL 7.9.

Partial/truncated contents of fixed /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:
# USERTrust RSA Certification Authority
#-----BEGIN CERTIFICATE-----
#MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
#MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
#ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
#eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
#gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
#ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
#VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
#BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
#UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
#tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
#jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
#8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
#AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
#Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
#N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
#qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
#HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
#+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
#HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
#A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
#BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
#HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
#dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
#dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
#lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
#RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
#YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
3Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
#Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
#0fKtirOMxyHNwu8=
#-----END CERTIFICATE-----

# USERTrust RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----