If a CA certificate is stored using the BEGIN TRUSTED CERTIFICATE file format, and both the "trust" and "reject" purposes are empty, then p11-kit-trust will ignore such certificates. This behaviour is different than I had originally expected. Stef argued it's reasonable to interpret this technical format to mean "rejected for any purposes", and that's why p11-kit-trust refuses to load the cert (in my understanding). However, we require a way to load such certificates, because the most recent upstream CA lists contain "helper" intermediate CA certificates, which are neither trusted nor rejected, but are intended to help clients find alternative trust pathes. The solution, or workaround, that we have discussed, and that I'd like to implement here: For neutral certs, no longer use the BEGIN TRUSTED CERTIFICATE, but rather use the simpler BEGIN CERTIFICATE file format. In my testing, this had the intended effect. This is a small change, I'm filing this bug mostly for tracking and documentation. This fix is required when shipping Mozilla CA list version 2.0 or 2.1 or later (as contained in upstream NSS versions 3.16.3 and 3.16.4). The fix is required for all supported Fedora versions, but I'll file just this one bug for Rawhide.
ca-certificates-2014.2.1-1.0.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.0.fc20
ca-certificates-2014.2.1-1.0.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.0.fc19
Created attachment 930407 [details] Empathy failed ICQ login (empathy-debugger, info level) The package update ca-certificates-2014.2.1-1.0.fc20.noarch breaks login at ICQ server (slogin.icq.com:5190). A downgrade to 2013.1.97-1.fc20 solves the login problems.
The server presents an invalid chain. The intermediate it sends didn't sign the end entity certificate it sends (compare Subject of intermediate with Issuer of end entity). I don't know why it works with older package version. Can you downgrade just ca-certificates or does it cause downgrade of other packages (e.g. p11-kit)? End entity certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 93176 (0x16bf8) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: May 16 11:00:58 2012 GMT Not After : Aug 16 22:09:10 2017 GMT Subject: serialNumber=ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C=US, ST=Delaware, L=Wilmington, O=ICQ LLC, CN=*.icq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:be:65:11:7a:fd:6e:d9:87:18:06:00:28:26:e8: a5:23:35:74:f2:70:01:95:79:ba:f6:f1:4b:1f:24: 88:0a:6b:23:31:a0:37:f4:5a:64:f1:50:e3:64:4c: 6b:2a:43:12:ed:e9:da:30:d4:d9:9b:60:16:44:6e: 43:62:c6:f5:9e:c1:1a:27:45:4b:29:98:97:b4:c5: 33:a4:b5:0a:42:36:39:0c:84:d5:49:6e:8f:15:5b: 37:95:77:21:a2:bf:6f:f9:9b:1c:59:3a:b4:16:4c: 9f:56:25:4a:0c:56:4c:4f:1b:db:d3:f1:41:42:39: 9b:ae:99:60:36:05:4e:60:b9:b7:d8:f0:1f:3c:6c: 61:c8:13:59:93:3e:3c:3a:ea:b2:6d:2b:92:19:06: 53:8b:a3:87:e1:54:63:7d:05:d3:6f:cb:09:4c:c9: 9f:5c:3e:8d:6f:4b:79:99:cc:9e:7f:9a:02:4c:a6: a3:76:64:7b:e8:99:49:9e:6f:50:b1:6b:d7:54:9c: e3:00:56:99:1b:85:80:72:80:24:dc:0a:30:17:db: a1:9a:d1:95:8e:08:24:8f:b7:d0:11:f5:42:fa:25: 3d:7b:57:aa:3b:c4:20:40:bc:bb:1f:33:da:b0:fa: 84:31:43:82:c1:cb:49:8a:19:e0:09:c5:6b:03:f8: f2:65 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.icq.com, DNS:icq.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: 4E:63:CD:A0:78:E1:CE:BF:7F:1D:44:E8:E8:5B:C0:CE:A3:17:39:36 X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt Signature Algorithm: sha1WithRSAEncryption 20:35:fa:f2:1d:e1:66:b3:a0:05:18:7b:38:9f:fb:89:84:f5: 5a:e5:f1:61:c3:0c:11:3a:a4:c8:cb:4a:05:a5:ec:34:81:7a: 5d:27:3b:a3:23:36:d4:6f:e1:66:54:d1:94:c6:22:dc:d6:f6: c8:7b:4c:6f:13:83:6e:71:87:eb:1a:4d:59:c8:32:76:71:c4: 3f:72:13:4e:03:45:56:fa:8a:66:1f:80:99:5a:7c:6c:a2:4d: 78:d4:05:60:ef:a4:9c:bd:02:dd:56:0e:34:fa:c7:df:3b:ab: 0a:fe:e4:ae:28:ed:3f:a4:a1:b4:f9:d9:56:23:ba:54:a0:b1: 0f:d8:30:52:8a:35:ec:11:d4:ed:4b:a0:21:1b:11:cb:04:60: 75:5e:b3:06:ef:91:67:f1:26:c6:7c:ba:4c:6b:aa:20:46:d5: 82:17:62:86:69:df:7d:30:61:3e:2e:1c:67:25:7f:8d:d8:c1: bc:a1:08:2b:40:f9:ce:7a:fb:7b:56:ac:85:79:03:78:17:58: 17:6f:ba:19:97:b4:a5:bb:84:07:00:a2:11:8a:88:1d:8a:99: fa:3d:bd:0a:10:50:a2:4b:c3:48:36:95:74:53:36:e5:75:7b: 6c:12:45:0f:e1:68:8f:fc:7b:18:a0:30:42:1d:06:d6:00:ce: 41:01:b5:92 -----BEGIN CERTIFICATE----- MIIEajCCA1KgAwIBAgIDAWv4MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEYMBYGA1UEAxMPR2VvVHJ1c3QgU1NM IENBMB4XDTEyMDUxNjExMDA1OFoXDTE3MDgxNjIyMDkxMFowgYYxKTAnBgNVBAUT IGhvMFBqNkpVREpSZ0F0M1QvTnBqOS1kWkxDSkdyaDlvMQswCQYDVQQGEwJVUzER MA8GA1UECBMIRGVsYXdhcmUxEzARBgNVBAcTCldpbG1pbmd0b24xEDAOBgNVBAoT B0lDUSBMTEMxEjAQBgNVBAMMCSouaWNxLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAL5lEXr9btmHGAYAKCbopSM1dPJwAZV5uvbxSx8kiAprIzGg N/RaZPFQ42RMaypDEu3p2jDU2ZtgFkRuQ2LG9Z7BGidFSymYl7TFM6S1CkI2OQyE 1UlujxVbN5V3IaK/b/mbHFk6tBZMn1YlSgxWTE8b29PxQUI5m66ZYDYFTmC5t9jw HzxsYcgTWZM+PDrqsm0rkhkGU4ujh+FUY30F02/LCUzJn1w+jW9LeZnMnn+aAkym o3Zke+iZSZ5vULFr11Sc4wBWmRuFgHKAJNwKMBfboZrRlY4IJI+30BH1QvolPXtX qjvEIEC8ux8z2rD6hDFDgsHLSYoZ4AnFawP48mUCAwEAAaOCASQwggEgMB8GA1Ud IwQYMBaAFEJ5VBthzVUrPmPVPEhX9Z/7Rc5KMA4GA1UdDwEB/wQEAwIEsDAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0RBBYwFIIJKi5pY3EuY29t ggdpY3EuY29tMD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9ndHNzbC1jcmwuZ2Vv dHJ1c3QuY29tL2NybHMvZ3Rzc2wuY3JsMB0GA1UdDgQWBBROY82geOHOv38dROjo W8DOoxc5NjAMBgNVHRMBAf8EAjAAMEMGCCsGAQUFBwEBBDcwNTAzBggrBgEFBQcw AoYnaHR0cDovL2d0c3NsLWFpYS5nZW90cnVzdC5jb20vZ3Rzc2wuY3J0MA0GCSqG SIb3DQEBBQUAA4IBAQAgNfryHeFms6AFGHs4n/uJhPVa5fFhwwwROqTIy0oFpew0 gXpdJzujIzbUb+FmVNGUxiLc1vbIe0xvE4NucYfrGk1ZyDJ2ccQ/chNOA0VW+opm H4CZWnxsok141AVg76ScvQLdVg40+sffO6sK/uSuKO0/pKG0+dlWI7pUoLEP2DBS ijXsEdTtS6AhGxHLBGB1XrMG75Fn8SbGfLpMa6ogRtWCF2KGad99MGE+LhxnJX+N 2MG8oQgrQPnOevt7VqyFeQN4F1gXb7oZl7Slu4QHAKIRiogdipn6Pb0KEFCiS8NI NpV0UzbldXtsEkUP4WiP/HsYoDBCHQbWAM5BAbWS -----END CERTIFICATE----- Intermediate it presents: Certificate: Data: Version: 3 (0x2) Serial Number: 1227750 (0x12bbe6) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=Equifax, OU=Equifax Secure Certificate Authority Validity Not Before: May 21 04:00:00 2002 GMT Not After : Aug 21 04:00:00 2018 GMT Subject: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:da:cc:18:63:30:fd:f4:17:23:1a:56:7e:5b:df: 3c:6c:38:e4:71:b7:78:91:d4:bc:a1:d8:4c:f8:a8: 43:b6:03:e9:4d:21:07:08:88:da:58:2f:66:39:29: bd:05:78:8b:9d:38:e8:05:b7:6a:7e:71:a4:e6:c4: 60:a6:b0:ef:80:e4:89:28:0f:9e:25:d6:ed:83:f3: ad:a6:91:c7:98:c9:42:18:35:14:9d:ad:98:46:92: 2e:4f:ca:f1:87:43:c1:16:95:57:2d:50:ef:89:2d: 80:7a:57:ad:f2:ee:5f:6b:d2:00:8d:b9:14:f8:14: 15:35:d9:c0:46:a3:7b:72:c8:91:bf:c9:55:2b:cd: d0:97:3e:9c:26:64:cc:df:ce:83:19:71:ca:4e:e6: d4:d5:7b:a9:19:cd:55:de:c8:ec:d2:5e:38:53:e5: 5c:4f:8c:2d:fe:50:23:36:fc:66:e6:cb:8e:a4:39: 19:00:b7:95:02:39:91:0b:0e:fe:38:2e:d1:1d:05: 9a:f6:4d:3e:6f:0f:07:1d:af:2c:1e:8f:60:39:e2: fa:36:53:13:39:d4:5e:26:2b:db:3d:a8:14:bd:32: eb:18:03:28:52:04:71:e5:ab:33:3d:e1:38:bb:07: 36:84:62:9c:79:ea:16:30:f4:5f:c0:2b:e8:71:6b: e4:f9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:48:E6:68:F9:2B:D2:B2:95:D7:47:D8:23:20:10:4F:33:98:90:9F:D4 X509v3 Subject Key Identifier: C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 CRL Distribution Points: Full Name: URI:http://crl.geotrust.com/crls/secureca.crl X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: https://www.geotrust.com/resources/repository Signature Algorithm: sha1WithRSAEncryption 76:e1:12:6e:4e:4b:16:12:86:30:06:b2:81:08:cf:f0:08:c7: c7:71:7e:66:ee:c2:ed:d4:3b:1f:ff:f0:f0:c8:4e:d6:43:38: b0:b9:30:7d:18:d0:55:83:a2:6a:cb:36:11:9c:e8:48:66:a3: 6d:7f:b8:13:d4:47:fe:8b:5a:5c:73:fc:ae:d9:1b:32:19:38: ab:97:34:14:aa:96:d2:eb:a3:1c:14:08:49:b6:bb:e5:91:ef: 83:36:eb:1d:56:6f:ca:da:bc:73:63:90:e4:7f:7b:3e:22:cb: 3d:07:ed:5f:38:74:9c:e3:03:50:4e:a1:af:98:ee:61:f2:84: 3f:12 -----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE----- Actual intermediate that signed the certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 145104 (0x236d0) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA Validity Not Before: Feb 19 22:39:26 2010 GMT Not After : Feb 18 22:39:26 2020 GMT Subject: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:90:b3:80:c1:e4:e5:46:ad:70:60:3d:ba:e5:14: dd:9e:8a:5e:8b:75:5a:e6:ca:6d:41:a5:23:e8:39: 85:26:7a:a7:55:77:9a:48:a1:92:7e:3a:1e:1a:f1: 27:ab:a3:4c:39:cc:cb:3d:47:af:81:ae:16:6a:5c: 37:ef:45:41:fd:fb:9a:97:3c:a0:43:9d:c6:df:17: 21:d1:8a:a2:56:c2:03:49:84:12:81:3e:c9:0a:54: 60:66:b9:8c:54:e4:f9:e6:f9:94:f1:e0:5f:75:11: f2:29:b9:e4:86:a2:b1:89:ad:a6:1e:83:29:63:b2: f0:54:1c:85:0b:7a:e7:e1:2e:0d:af:a4:bd:cd:e7: b1:5a:d7:8c:05:5a:0e:4b:73:28:8b:75:5d:34:d8: 77:0b:e1:74:62:e2:71:30:62:d8:bc:8a:05:e5:31: 63:4a:54:89:6a:33:78:a7:4e:55:24:1d:97:ef:1a: e4:12:c6:0f:30:18:b4:34:4d:e1:d8:23:3b:21:5b: 2d:30:19:25:0e:74:f7:a4:21:4b:a0:a4:20:c9:6c: cd:98:56:c0:f2:a8:5f:3e:26:75:a0:0d:f8:36:88: 8a:2c:5a:7d:67:30:a9:0f:d1:99:70:2e:78:e1:51: 26:af:55:7a:24:be:8c:39:0d:77:9d:de:02:c3:0c: bd:1f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Authority Key Identifier: keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 CRL Distribution Points: Full Name: URI:http://crl.geotrust.com/crls/gtglobal.crl Authority Information Access: OCSP - URI:http://ocsp.geotrust.com Signature Algorithm: sha1WithRSAEncryption d4:ef:53:84:e8:1a:bd:a1:8b:04:c0:a9:f5:5f:a1:10:78:45: 5d:b2:57:6a:4e:24:cb:65:4e:31:97:91:9a:d4:24:f8:e2:27: 66:70:31:9c:c1:62:54:06:e7:97:1d:3a:9a:c0:a4:29:48:0a: af:24:c7:a8:c4:9a:54:c1:7c:4c:78:4c:2b:68:2c:5d:17:a6: 54:78:4c:46:e2:80:c3:1f:38:71:12:d2:d7:53:e3:54:85:50: b8:02:cb:ee:63:3a:f8:56:89:4d:55:bb:2e:c0:c8:18:77:86: 31:0b:0b:70:f0:7e:35:83:a4:2a:13:64:56:67:34:5d:16:5f: 73:ac:7b:06:24:da:4f:50:6d:2a:ab:d0:4d:53:41:c2:8e:bb: 71:03:49:29:86:18:cf:21:42:4c:74:62:51:15:c5:6f:a8:ef: c4:27:e5:1b:33:dd:5a:88:d7:7f:12:d1:a7:61:25:1f:d5:e0: dc:1d:cf:1a:10:d8:a0:cb:5f:8c:fa:0c:e5:bf:71:ff:e5:5d: 44:1d:a6:3e:87:47:fa:1a:4e:83:83:12:3f:88:66:95:98:79: 9a:85:eb:02:47:cd:25:e3:f2:06:04:4e:99:ca:5c:a0:6e:7a: bb:dd:a3:90:1a:45:33:ef:bf:3e:d2:04:c4:b6:e0:2a:85:65: 41:3e:10:d4 -----BEGIN CERTIFICATE----- MIID2TCCAsGgAwIBAgIDAjbQMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTAwMjE5MjIzOTI2WhcNMjAwMjE4MjIzOTI2WjBAMQswCQYDVQQG EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xGDAWBgNVBAMTD0dlb1RydXN0 IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJCzgMHk5Uat cGA9uuUU3Z6KXot1WubKbUGlI+g5hSZ6p1V3mkihkn46HhrxJ6ujTDnMyz1Hr4Gu FmpcN+9FQf37mpc8oEOdxt8XIdGKolbCA0mEEoE+yQpUYGa5jFTk+eb5lPHgX3UR 8im55IaisYmtph6DKWOy8FQchQt65+EuDa+kvc3nsVrXjAVaDktzKIt1XTTYdwvh dGLicTBi2LyKBeUxY0pUiWozeKdOVSQdl+8a5BLGDzAYtDRN4dgjOyFbLTAZJQ50 96QhS6CkIMlszZhWwPKoXz4mdaAN+DaIiixafWcwqQ/RmXAueOFRJq9VeiS+jDkN d53eAsMMvR8CAwEAAaOB2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFEJ5 VBthzVUrPmPVPEhX9Z/7Rc5KMB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4 ysxOMBIGA1UdEwEB/wQIMAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDov L2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEE KDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZI hvcNAQEFBQADggEBANTvU4ToGr2hiwTAqfVfoRB4RV2yV2pOJMtlTjGXkZrUJPji J2ZwMZzBYlQG55cdOprApClICq8kx6jEmlTBfEx4TCtoLF0XplR4TEbigMMfOHES 0tdT41SFULgCy+5jOvhWiU1Vuy7AyBh3hjELC3DwfjWDpCoTZFZnNF0WX3OsewYk 2k9QbSqr0E1TQcKOu3EDSSmGGM8hQkx0YlEVxW+o78Qn5Rsz3VqI138S0adhJR/V 4NwdzxoQ2KDLX4z6DOW/cf/lXUQdpj6HR/oaToODEj+IZpWYeZqF6wJHzSXj8gYE TpnKXKBuervdo5AaRTPvvz7SBMS24CqFZUE+ENQ= -----END CERTIFICATE----- If you have openssl compiled from master branch you can verify it as follows: $ ./openssl verify -CAfile 2.pem -partial_chain 1.pem 1.pem: serialNumber = ho0Pj6JUDJRgAt3T/Npj9-dZLCJGrh9o, C = US, ST = Delaware, L = Wilmington, O = ICQ LLC, CN = *.icq.com error 20 at 0 depth lookup:unable to get local issuer certificate $ ./openssl verify -CAfile 3.pem -partial_chain 1.pem 1.pem: OK
Created attachment 930758 [details] Successfull login with ca-certificates-2013.1.97-1.fc20 As far as I can see the issue only depends on the ca-certificates package. If I downgrade to 2013.1.97-1.fc20 it works, update to 2014.2.1-1.0.fc20 it does not. I have appended a log from a successful login, maybe gives you some more information.
ca-certificates-2014.2.1-1.1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.1.fc20
ca-certificates-2014.2.1-1.5.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc19
ca-certificates-2014.2.1-1.5.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/ca-certificates-2014.2.1-1.5.fc20
Package ca-certificates-2014.2.1-1.5.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing ca-certificates-2014.2.1-1.5.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-15506/ca-certificates-2014.2.1-1.5.fc19 then log in and leave karma (feedback).
ca-certificates-2014.2.1-1.5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ca-certificates-2014.2.1-1.5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.