Bug 675671

Summary: Root CA cert bundle is missing "VeriSign Class 3 Public Primary Certification Authority - G5" cert
Product: Red Hat Enterprise Linux 5 Reporter: J.H.M. Dassen (Ray) <rdassen>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6CC: mvadkert, pvrabec, rbinkhor
Target Milestone: rcKeywords: EasyFix, Triaged, Upstream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl-0.9.8e-19.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 675674 (view as bug list) Environment:
Last Closed: 2011-07-21 07:41:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 675674    

Description J.H.M. Dassen (Ray) 2011-02-07 09:30:29 UTC 
Description of problem:
/etc/pki/tls/certs/ca-bundle.crt is missing at least this certificate:
(from https://www.verisign.com/support/roots.html)
###
VeriSign Class 3 Primary CA - G5
Description: This root CA is the root used for VeriSign Extended
validation Certificates and should be included in root stores. During Q4
2010 this root will also be the primary root used for all VeriSign SSL
and Code Signing certificates.

Country = US
Organization = VeriSign, Inc.
Organizational Unit = VeriSign Trust Network
Organizational Unit = (c) 2006 VeriSign, Inc. - For authorized use only
Common Name = VeriSign Class 3 Public Primary Certification Authority - G5
Serial Number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
Operational Period: Tue, November 07, 2006 to Wed, July 16, 2036
Certificate SHA1 Fingerprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be
3d 9b 67 44 a5 e5
Key Size: RSA(2048Bits)
Signature Algorithm: sha1RSA
###


Version-Release number of selected component (if applicable):
openssl-0.9.8e-12.el5_5.7

How reproducible:
100%

Steps to Reproduce - approach A
1. grep -i 'VeriSign Class 3 Public Primary Certification Authority - G5' /etc/pki/tls/certs/ca-bundle.crt
  
Actual results:
No match

Expected results:
Match

Steps to Reproduce - approach B
1. wget https://www.cern.ch

Actual results:
Download fails:
	--2011-02-07 10:27:19--  https://www.cern.ch/
	Resolving www.cern.ch... 137.138.144.168
	Connecting to www.cern.ch|137.138.144.168|:443... connected.
	ERROR: cannot verify www.cern.ch's certificate, issued by `/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA':
	  Unable to locally verify the issuer's authority.
	To connect to www.cern.ch insecurely, use `--no-check-certificate'.
	Unable to establish SSL connection.

Expected results:
Download succeeds:
	--2011-02-07 10:28:43--  https://www.cern.ch/
	Resolving www.cern.ch... 137.138.144.168
	Connecting to www.cern.ch|137.138.144.168|:443... connected.
	HTTP request sent, awaiting response... 302 Found
	Location: https://user.web.cern.ch/user/ [following]
	--2011-02-07 10:28:43--  https://user.web.cern.ch/user/
	Resolving user.web.cern.ch... 137.138.144.161
	Connecting to user.web.cern.ch|137.138.144.161|:443... connected.
	HTTP request sent, awaiting response... 302 Object moved
	Location: https://public.web.cern.ch/public [following]
	--2011-02-07 10:28:43--  https://public.web.cern.ch/public
	Resolving public.web.cern.ch... 137.138.144.161
	Connecting to public.web.cern.ch|137.138.144.161|:443... connected.
	HTTP request sent, awaiting response... 301 Moved Permanently
	Location: https://public.web.cern.ch/public/ [following]
	--2011-02-07 10:28:44--  https://public.web.cern.ch/public/
	Reusing existing connection to public.web.cern.ch:443.
	HTTP request sent, awaiting response... 200 OK
	Length: 10553 (10K) [text/html]
	Saving to: “index.html”

	100%[======================================>] 10,553      --.-K/s   in 0s      

	2011-02-07 10:28:44 (151 MB/s) - “index.html” saved [10553/10553]

Additional info:
This certificate is included in ca-certificates-2010.63-3.el6.noarch on
RHEL6.
Comment 5 errata-xmlrpc 2011-07-21 07:41:07 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-1010.html