Bug 1288076 - Bugzilla not sending the whole certificate chain, just server certificate
Bugzilla not sending the whole certificate chain, just server certificate
Status: CLOSED UPSTREAM
Product: Bugzilla
Classification: Community
Component: Bugzilla General (Show other bugs)
4.4
Unspecified Unspecified
urgent Severity urgent (vote)
: ---
: ---
Assigned To: PnT DevOps Devs
tools-bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-03 07:49 EST by Stanislav Zidek
Modified: 2015-12-03 11:28 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-03 11:28:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stanislav Zidek 2015-12-03 07:49:55 EST
Description of problem:
SSIA

Version-Release number of selected component (if applicable):
?

How reproducible:
always

Steps to Reproduce:
1. openssl s_client -connect bugzilla.redhat.com:443
2.
3.

Actual results:
CONNECTED(00000003)
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.redhat.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.redhat.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat Inc., CN = *.redhat.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=*.redhat.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
-----BEGIN CERTIFICATE-----
MIIFSTCCBDGgAwIBAgIQAdAb5fpgCqGXolS4CS4ZoTANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTA1MjgwMDAwMDBaFw0xNzA2MTQxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRcwFQYDVQQIEw5Ob3J0aCBDYXJvbGluYTEQMA4GA1UE
BxMHUmFsZWlnaDEVMBMGA1UEChMMUmVkIEhhdCBJbmMuMRUwEwYDVQQDDAwqLnJl
ZGhhdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCvaIbRvW/
9P0GbUxvNdBonurMt5R6EhsxLsTD4yYNig2T9b7soy8w1jzO8cLfipDUOxKMHiJo
mkKDgEOEDK5ePz8rqHCvMReP8zhT8S9Jz1C0dlvHPGdsdPrh1v3U9PTZ1f69tcfy
VFDi/6qTH9bkYIi9q9u52xy5vZDXLrnfCiM4n+MWhlc95jWd4eYO53Yo2mqb8xaC
GzTa/FiSsB6KmzrX7HqdgkIU5pbNK2ysd4elXjC4s8tiL8ouFafJMrzQT2jiROpm
4+d7zMwOT9ePKvyVAs4kK1StWrMss3EPGQRjAUzDuwZpE/cwWXIMKEFAjx6XvUVg
91FL1K5IbAD7AgMBAAGjggHnMIIB4zAfBgNVHSMEGDAWgBRRaP+QrwIHdTzM2WVk
YqISuFlyOzAdBgNVHQ4EFgQUKr/rGEQQ7TCbBcvVsxHASEb2doQwIwYDVR0RBBww
GoIMKi5yZWRoYXQuY29tggpyZWRoYXQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdQYDVR0fBG4wbDA0oDKgMIYuaHR0
cDovL2NybDMuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc0LmNybDA0oDKg
MIYuaHR0cDovL2NybDQuZGlnaWNlcnQuY29tL3NoYTItaGEtc2VydmVyLWc0LmNy
bDBCBgNVHSAEOzA5MDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczov
L3d3dy5kaWdpY2VydC5jb20vQ1BTMIGDBggrBgEFBQcBAQR3MHUwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEFBQcwAoZBaHR0cDov
L2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhpZ2hBc3N1cmFuY2VT
ZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAWBfN
vX3l5iwFoM3TxzCVAuvgDhQjo6nIPicgf4bg2WsXsMMl7HQFWGwBTOe5nUGUWc51
Tw8BBJmxwixyPDC4ZMH+XK2awun87V+QULbm+KeppwPkbs6Qa83t9CAO/O1sDXCr
w2P/zT56adF9Kf3Z8Dx1cfY0RVnCRbDYUmJZ0yETDlGiANMyXVbMSJn9xp9MCh8n
470NiKEei0IQvo8EYpSDiigJxzta2NRmVy0YTM6GuTv6zWf0SlbjuPaPi4YO3ghK
D3Phjz7olvAIsbDl/j8OP8WIVM6Jyd9EoaXk9uoX+qr4mdzmpLQoTcb2n2s2530f
yKvUKl1/1JFb9J85jw==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc./CN=*.redhat.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2048 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FE68EDDC8A17849752C7997FA229751B08C00D0A2A5423841054412837506CF9
    Session-ID-ctx: 
    Master-Key: 101CA87B59C39B7986CAF6CB4A23EC06D890C0F3F7FE99D25C3EC6EC232A18993037F5DA54DE9371A05845DD8A65EFB3
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 66 f2 65 60 df c5 a8 ae-e4 49 e2 5a b8 93 c7 e5   f.e`.....I.Z....
    0010 - 65 a2 7f cc 48 4d da d8-a2 2c 71 09 b0 c6 6a aa   e...HM...,q...j.
    0020 - 93 6e d4 8f 9e f3 36 7a-76 70 45 42 17 80 7f 8f   .n....6zvpEB....
    0030 - ef cd 2c 3a 5b 7a df 36-b6 9d 25 ce 5b 0b ee 11   ..,:[z.6..%.[...
    0040 - ed a3 1a 70 dc d9 23 ab-be c4 f1 4f 07 68 e1 7e   ...p..#....O.h.~
    0050 - 4f 28 ac 04 9e c8 3f 3f-34 ea 7f f8 96 07 82 12   O(....??4.......
    0060 - 76 ff 6c 83 9c b6 e1 65-06 12 97 56 cd 9c 9e 2a   v.l....e...V...*
    0070 - 9f e4 57 b6 dd 36 40 4f-6e 09 a2 5b 86 19 6c d5   ..W..6@On..[..l.
    0080 - 87 5c 30 c5 31 1f 8c a4-44 56 89 37 a6 af d8 9b   .\0.1...DV.7....
    0090 - f3 9d de 40 8a a0 00 d1-af 96 63 e2 63 ce ac 2e   ...@......c.c...
    00a0 - 6f 86 74 90 0c 46 11 c8-cd ed a0 e9 6d 2b 18 1d   o.t..F......m+..
    00b0 - 15 b9 0c b1 fd 02 43 c2-8d 24 9f 80 5d 0e b1 ac   ......C..$..]...

    Start Time: 1449146962
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


Expected results:
whole certificate chain is sent

Additional info:
Comment 2 Ondřej Pták 2015-12-03 08:23:32 EST
I have the same problem with security-guard-cve script, which use bugzilla command:

bugzilla query -b 244410
/usr/lib/python2.6/site-packages/requests/packages/urllib3/util/ssl_.py:100: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
SSL error: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

If you trust the remote server, you can work around this error with:
  bugzilla --nosslverify ...

From my notebook, the same command returns correct result.
Comment 3 Gwyn Ciesla 2015-12-03 09:17:35 EST
Seeing this with pkgdb-admin as well.
Comment 4 Patrick Uiterwijk 2015-12-03 09:38:45 EST
As a workaround:

Put the following cert in /etc/pki/ca-trust/source/anchors/digicert-intermediate.pem and run update-ca-trust. (you can verify that this is the actual, correct, certificate that's issued by DigiCert).

-----BEGIN CERTIFICATE-----
MIIEsTCCA5mgAwIBAgIQBOHnpNxc8vNtwCtCuF0VnzANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTEzMTAyMjEyMDAwMFoXDTI4MTAyMjEyMDAwMFowcDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEvMC0GA1UEAxMmRGlnaUNlcnQgU0hBMiBIaWdoIEFzc3Vy
YW5jZSBTZXJ2ZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2
4C/CJAbIbQRf1+8KZAayfSImZRauQkCbztyfn3YHPsMwVYcZuU+UDlqUH1VWtMIC
Kq/QmO4LQNfE0DtyyBSe75CxEamu0si4QzrZCwvV1ZX1QK/IHe1NnF9Xt4ZQaJn1
itrSxwUfqJfJ3KSxgoQtxq2lnMcZgqaFD15EWCo3j/018QsIJzJa9buLnqS9UdAn
4t07QjOjBSjEuyjMmqwrIw14xnvmXnG3Sj4I+4G3FhahnSMSTeXXkgisdaScus0X
sh5ENWV/UyU50RwKmmMbGZJ0aAo3wsJSSMs5WqK24V3B3aAguCGikyZvFEohQcft
bZvySC/zA/WiaJJTL17jAgMBAAGjggFJMIIBRTASBgNVHRMBAf8ECDAGAQH/AgEA
MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
NAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wSwYDVR0fBEQwQjBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDA9BgNVHSAENjA0MDIG
BFUdIAAwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQ
UzAdBgNVHQ4EFgQUUWj/kK8CB3U8zNllZGKiErhZcjswHwYDVR0jBBgwFoAUsT7D
aQP4v0cB1JgmGggC72NkK8MwDQYJKoZIhvcNAQELBQADggEBABiKlYkD5m3fXPwd
aOpKj4PWUS+Na0QWnqxj9dJubISZi6qBcYRb7TROsLd5kinMLYBq8I4g4Xmk/gNH
E+r1hspZcX30BJZr01lYPf7TMSVcGDiEo+afgv2MW5gxTs14nhr9hctJqvIni5ly
/D6q1UEL2tU2ob8cbkdJf17ZSHwD2f2LSaCYJkJA69aSEaRkCldUxPUd1gJea6zu
xICaEnL6VpPX/78whQYwvwt/Tv9XBZ0k7YXDK/umdaisLRbvfXknsuvCnQsH6qqF
0wGjIChBWUMo0oHjqvbsezt3tkBigAVBRQHvFwY+3sAzm2fTYS5yh+Rp/BIAV0Ae
cPUeybQ=
-----END CERTIFICATE-----
Comment 5 Patrick Uiterwijk 2015-12-03 09:46:08 EST
NOTE: This workaround has been verified by me personally on RHEL7 and Fedora 22.
For other distros/versions, your mileage may vary.
Comment 6 Patrick Uiterwijk 2015-12-03 11:28:11 EST
This has now been fixed by the people responsible for this. Please re-open if the issue still occurs.

Note You need to log in before you can comment on or make changes to this bug.