Bug 1130226 - Ensure neutral-trust CA certificates will be loaded by p11-kit-trust
Summary: Ensure neutral-trust CA certificates will be loaded by p11-kit-trust
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: ca-certificates
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-14 15:04 UTC by Kai Engert (:kaie) (inactive account)
Modified: 2014-12-13 09:40 UTC (History)
10 users (show)

Fixed In Version: ca-certificates-2014.2.1-1.5.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-13 09:34:54 UTC


Attachments (Terms of Use)
Empathy failed ICQ login (empathy-debugger, info level) (29.10 KB, application/x-h)
2014-08-25 09:52 UTC, Soeren Grunewald
no flags Details
Successfull login with ca-certificates-2013.1.97-1.fc20 (49.66 KB, application/x-h)
2014-08-26 07:15 UTC, Soeren Grunewald
no flags Details

Description Kai Engert (:kaie) (inactive account) 2014-08-14 15:04:15 UTC
If a CA certificate is stored using the BEGIN TRUSTED CERTIFICATE file format, 
and both the "trust" and "reject" purposes are empty,
then p11-kit-trust will ignore such certificates.

This behaviour is different than I had originally expected.
Stef argued it's reasonable to interpret this technical format to mean "rejected for any purposes", and that's why p11-kit-trust refuses to load the cert (in my understanding).

However, we require a way to load such certificates, because the most recent upstream CA lists contain "helper" intermediate CA certificates, which are neither trusted nor rejected, but are intended to help clients find alternative trust pathes.

The solution, or workaround, that we have discussed, and that I'd like to implement here:

For neutral certs, no longer use the BEGIN TRUSTED CERTIFICATE, but rather use the simpler BEGIN CERTIFICATE file format. In my testing, this had the intended effect.

This is a small change, I'm filing this bug mostly for tracking and documentation.

This fix is required when shipping Mozilla CA list version 2.0 or 2.1 or later (as contained in upstream NSS versions 3.16.3 and 3.16.4).

The fix is required for all supported Fedora versions, but I'll file just this one bug for Rawhide.

Comment 1 Fedora Update System 2014-08-18 21:21:57 UTC
ca-certificates-2014.2.1-1.0.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.0.fc20

Comment 2 Fedora Update System 2014-08-18 21:22:04 UTC
ca-certificates-2014.2.1-1.0.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.0.fc19

Comment 3 Soeren Grunewald 2014-08-25 09:52:02 UTC
Created attachment 930407 [details]
Empathy failed ICQ login (empathy-debugger, info level)

The package update ca-certificates-2014.2.1-1.0.fc20.noarch breaks login at ICQ server (slogin.icq.com:5190). A downgrade to 2013.1.97-1.fc20 solves the login problems.

Comment 4 Hubert Kario 2014-08-25 11:09:17 UTC
The server presents an invalid chain. The intermediate it sends didn't sign the end entity certificate it sends (compare Subject of intermediate with Issuer of end entity).

I don't know why it works with older package version. Can you downgrade just ca-certificates or does it cause downgrade of other packages (e.g. p11-kit)?

End entity certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 93176 (0x16bf8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
        Validity
            Not Before: May 16 11:00:58 2012 GMT
            Not After : Aug 16 22:09:10 2017 GMT
        Subject: serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C=US, ST=Delaware, L=Wilmington, O=ICQ LLC, CN=*.icq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:be:65:11:7a:fd:6e:d9:87:18:06:00:28:26:e8:
                    a5:23:35:74:f2:70:01:95:79:ba:f6:f1:4b:1f:24:
                    88:0a:6b:23:31:a0:37:f4:5a:64:f1:50:e3:64:4c:
                    6b:2a:43:12:ed:e9:da:30:d4:d9:9b:60:16:44:6e:
                    43:62:c6:f5:9e:c1:1a:27:45:4b:29:98:97:b4:c5:
                    33:a4:b5:0a:42:36:39:0c:84:d5:49:6e:8f:15:5b:
                    37:95:77:21:a2:bf:6f:f9:9b:1c:59:3a:b4:16:4c:
                    9f:56:25:4a:0c:56:4c:4f:1b:db:d3:f1:41:42:39:
                    9b:ae:99:60:36:05:4e:60:b9:b7:d8:f0:1f:3c:6c:
                    61:c8:13:59:93:3e:3c:3a:ea:b2:6d:2b:92:19:06:
                    53:8b:a3:87:e1:54:63:7d:05:d3:6f:cb:09:4c:c9:
                    9f:5c:3e:8d:6f:4b:79:99:cc:9e:7f:9a:02:4c:a6:
                    a3:76:64:7b:e8:99:49:9e:6f:50:b1:6b:d7:54:9c:
                    e3:00:56:99:1b:85:80:72:80:24:dc:0a:30:17:db:
                    a1:9a:d1:95:8e:08:24:8f:b7:d0:11:f5:42:fa:25:
                    3d:7b:57:aa:3b:c4:20:40:bc:bb:1f:33:da:b0:fa:
                    84:31:43:82:c1:cb:49:8a:19:e0:09:c5:6b:03:f8:
                    f2:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:*.icq.com, DNS:icq.com
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl

            X509v3 Subject Key Identifier: 
                4E:63:CD:A0:78:E1:CE:BF:7F:1D:44:E8:E8:5B:C0:CE:A3:17:39:36
            X509v3 Basic Constraints: critical
                CA:FALSE
            Authority Information Access: 
                CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt

    Signature Algorithm: sha1WithRSAEncryption
         20:35:fa:f2:1d:e1:66:b3:a0:05:18:7b:38:9f:fb:89:84:f5:
         5a:e5:f1:61:c3:0c:11:3a:a4:c8:cb:4a:05:a5:ec:34:81:7a:
         5d:27:3b:a3:23:36:d4:6f:e1:66:54:d1:94:c6:22:dc:d6:f6:
         c8:7b:4c:6f:13:83:6e:71:87:eb:1a:4d:59:c8:32:76:71:c4:
         3f:72:13:4e:03:45:56:fa:8a:66:1f:80:99:5a:7c:6c:a2:4d:
         78:d4:05:60:ef:a4:9c:bd:02:dd:56:0e:34:fa:c7:df:3b:ab:
         0a:fe:e4:ae:28:ed:3f:a4:a1:b4:f9:d9:56:23:ba:54:a0:b1:
         0f:d8:30:52:8a:35:ec:11:d4:ed:4b:a0:21:1b:11:cb:04:60:
         75:5e:b3:06:ef:91:67:f1:26:c6:7c:ba:4c:6b:aa:20:46:d5:
         82:17:62:86:69:df:7d:30:61:3e:2e:1c:67:25:7f:8d:d8:c1:
         bc:a1:08:2b:40:f9:ce:7a:fb:7b:56:ac:85:79:03:78:17:58:
         17:6f:ba:19:97:b4:a5:bb:84:07:00:a2:11:8a:88:1d:8a:99:
         fa:3d:bd:0a:10:50:a2:4b:c3:48:36:95:74:53:36:e5:75:7b:
         6c:12:45:0f:e1:68:8f:fc:7b:18:a0:30:42:1d:06:d6:00:ce:
         41:01:b5:92
-----BEGIN CERTIFICATE-----
MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM
IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT
IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER
MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT
B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg
N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE
1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw
HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym
o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX
qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud
IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t
ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv
dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo
W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw
AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG
SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0
gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm
H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS
ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N
2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI
NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS
-----END CERTIFICATE-----

Intermediate it presents:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1227750 (0x12bbe6)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority
        Validity
            Not Before: May 21 04:00:00 2002 GMT
            Not After : Aug 21 04:00:00 2018 GMT
        Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df:
                    3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8:
                    43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29:
                    bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4:
                    60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3:
                    ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92:
                    2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d:
                    80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14:
                    15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd:
                    d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6:
                    d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5:
                    5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39:
                    19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05:
                    9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2:
                    fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32:
                    eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07:
                    36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b:
                    e4:f9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4

            X509v3 Subject Key Identifier: 
                C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.geotrust.com/crls/secureca.crl

            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy
                  CPS: https://www.geotrust.com/resources/repository

    Signature Algorithm: sha1WithRSAEncryption
         76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0:08:c7:
         c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8:4e:d6:43:38:
         b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36:11:9c:e8:48:66:a3:
         6d:7f:b8:13:d4:47:fe:8b:5a:5c:73:fc:ae:d9:1b:32:19:38:
         ab:97:34:14:aa:96:d2:eb:a3:1c:14:08:49:b6:bb:e5:91:ef:
         83:36:eb:1d:56:6f:ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb:
         3d:07:ed:5f:38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84:
         3f:12
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----

Actual intermediate that signed the certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 145104 (0x236d0)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
        Validity
            Not Before: Feb 19 22:39:26 2010 GMT
            Not After : Feb 18 22:39:26 2020 GMT
        Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:90:b3:80:c1:e4:e5:46:ad:70:60:3d:ba:e5:14:
                    dd:9e:8a:5e:8b:75:5a:e6:ca:6d:41:a5:23:e8:39:
                    85:26:7a:a7:55:77:9a:48:a1:92:7e:3a:1e:1a:f1:
                    27:ab:a3:4c:39:cc:cb:3d:47:af:81:ae:16:6a:5c:
                    37:ef:45:41:fd:fb:9a:97:3c:a0:43:9d:c6:df:17:
                    21:d1:8a:a2:56:c2:03:49:84:12:81:3e:c9:0a:54:
                    60:66:b9:8c:54:e4:f9:e6:f9:94:f1:e0:5f:75:11:
                    f2:29:b9:e4:86:a2:b1:89:ad:a6:1e:83:29:63:b2:
                    f0:54:1c:85:0b:7a:e7:e1:2e:0d:af:a4:bd:cd:e7:
                    b1:5a:d7:8c:05:5a:0e:4b:73:28:8b:75:5d:34:d8:
                    77:0b:e1:74:62:e2:71:30:62:d8:bc:8a:05:e5:31:
                    63:4a:54:89:6a:33:78:a7:4e:55:24:1d:97:ef:1a:
                    e4:12:c6:0f:30:18:b4:34:4d:e1:d8:23:3b:21:5b:
                    2d:30:19:25:0e:74:f7:a4:21:4b:a0:a4:20:c9:6c:
                    cd:98:56:c0:f2:a8:5f:3e:26:75:a0:0d:f8:36:88:
                    8a:2c:5a:7d:67:30:a9:0f:d1:99:70:2e:78:e1:51:
                    26:af:55:7a:24:be:8c:39:0d:77:9d:de:02:c3:0c:
                    bd:1f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier: 
                42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
            X509v3 Authority Key Identifier: 
                keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.geotrust.com/crls/gtglobal.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.geotrust.com

    Signature Algorithm: sha1WithRSAEncryption
         d4:ef:53:84:e8:1a:bd:a1:8b:04:c0:a9:f5:5f:a1:10:78:45:
         5d:b2:57:6a:4e:24:cb:65:4e:31:97:91:9a:d4:24:f8:e2:27:
         66:70:31:9c:c1:62:54:06:e7:97:1d:3a:9a:c0:a4:29:48:0a:
         af:24:c7:a8:c4:9a:54:c1:7c:4c:78:4c:2b:68:2c:5d:17:a6:
         54:78:4c:46:e2:80:c3:1f:38:71:12:d2:d7:53:e3:54:85:50:
         b8:02:cb:ee:63:3a:f8:56:89:4d:55:bb:2e:c0:c8:18:77:86:
         31:0b:0b:70:f0:7e:35:83:a4:2a:13:64:56:67:34:5d:16:5f:
         73:ac:7b:06:24:da:4f:50:6d:2a:ab:d0:4d:53:41:c2:8e:bb:
         71:03:49:29:86:18:cf:21:42:4c:74:62:51:15:c5:6f:a8:ef:
         c4:27:e5:1b:33:dd:5a:88:d7:7f:12:d1:a7:61:25:1f:d5:e0:
         dc:1d:cf:1a:10:d8:a0:cb:5f:8c:fa:0c:e5:bf:71:ff:e5:5d:
         44:1d:a6:3e:87:47:fa:1a:4e:83:83:12:3f:88:66:95:98:79:
         9a:85:eb:02:47:cd:25:e3:f2:06:04:4e:99:ca:5c:a0:6e:7a:
         bb:dd:a3:90:1a:45:33:ef:bf:3e:d2:04:c4:b6:e0:2a:85:65:
         41:3e:10:d4
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat
cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu
FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR
8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh
dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50
96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN
d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5
VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4
ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov
L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE
KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI
hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji
J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES
0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk
2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V
4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE
TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ=
-----END CERTIFICATE-----

If you have openssl compiled from master branch you can verify it as follows:

$ ./openssl verify -CAfile 2.pem -partial_chain 1.pem
1.pem: serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com
error 20 at 0 depth lookup:unable to get local issuer certificate
$ ./openssl verify -CAfile 3.pem -partial_chain 1.pem
1.pem: OK

Comment 5 Soeren Grunewald 2014-08-26 07:15:59 UTC
Created attachment 930758 [details]
Successfull login with ca-certificates-2013.1.97-1.fc20

As far as I can see the issue only depends on the ca-certificates package. If I downgrade to 2013.1.97-1.fc20 it works, update to 2014.2.1-1.0.fc20 it does not.

I have appended a log from a successful login, maybe gives you some more information.

Comment 6 Fedora Update System 2014-09-21 09:02:37 UTC
ca-certificates-2014.2.1-1.1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.1.fc20

Comment 7 Fedora Update System 2014-11-20 17:46:06 UTC
ca-certificates-2014.2.1-1.5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19

Comment 8 Fedora Update System 2014-11-20 17:46:18 UTC
ca-certificates-2014.2.1-1.5.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20

Comment 9 Fedora Update System 2014-11-22 12:34:43 UTC
Package ca-certificates-2014.2.1-1.5.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ca-certificates-2014.2.1-1.5.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-15506/ca-certificates-2014.2.1-1.5.fc19
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2014-12-13 09:34:54 UTC
ca-certificates-2014.2.1-1.5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2014-12-13 09:40:08 UTC
ca-certificates-2014.2.1-1.5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.