Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 916560

Summary: /etc/pki/tls/certs/ca-bundle.crt is very out of date
Product: Red Hat Enterprise Linux 5 Reporter: Arnoud Vermeer <a.vermeer>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.9CC: herrold, mpoole
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-31 10:32:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Difference in CA subjects between CentOS 5 and Current Mozilla one
none
Difference in CA subjects between EL6 and Current Mozilla one none

Description Arnoud Vermeer 2013-02-28 10:26:18 UTC 
Created attachment 703873 [details]
Difference in CA subjects between CentOS 5 and Current Mozilla one

Description of problem:
/etc/pki/tls/certs/ca-bundle.crt is very out of date

Version in use on CentOS 6: 
#     $RCSfile: certdata.txt,v $
#     $Revision: 1.63 $
#     $Date: 2010/04/03 18:58:17 $

Version in use on CentOS 5:
Generated from certdata.txt RCS revision 1.39

Current version:
$Revision: 1.87 $ 
$Date: 2012/12/29 16:32:45

Version-Release number of selected component (if applicable):
openssl-0.9.8e-22.el5_8.4
ca-certificates-2010.63-3.el6_1.5.noarch

How reproducible:
Every time

Steps to Reproduce:
1. curl https://www.eso.org/public/archives/images/screen/eso1309a.jpg -o /dev/null
2. curl https://trustis-ssl.trustis.com/ -o /dev/null
3. curl https://sk.ee/ -o /dev/null
  
Actual results:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Expected results:
curl https://www.eso.org/public/archives/images/screen/eso1309a.jpg -o /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  968k  100  968k    0     0   145k      0  0:00:06  0:00:06 --:--:--  156k

Additional info:
Latest version by curl can be found here: Latest version by curl: http://curl.haxx.se/ca/cacert.pem
Comment 1 Arnoud Vermeer 2013-02-28 10:27:14 UTC 
Created attachment 703874 [details]
Difference in CA subjects between EL6 and Current Mozilla one
Comment 2 Tomas Mraz 2013-03-12 13:49:58 UTC 
Please report the issue through the regular support channels http://www.redhat.com/support
so it can be properly prioritized.
Comment 3 R P Herrold 2013-05-09 17:06:09 UTC 
Still true.  Actually not just out of date but EXPIRED

[root@centos5-64-herc tls]# rpm -qf /etc/pki/tls/certs/ca-bundle.crt openssl-0.9.8e-26.el5_9.1                                            
[root@centos5-64-herc tls]# rpm -V openssl                           
.M....G.    /etc/pki/CA                                              
S.5....T  c /etc/pki/tls/openssl.cnf                                 
[root@centos5-64-herc tls]# openssl x509 -text -noout -in /etc/pki/tls/certs/ca-bundle.crt | grep -i "Not After"                                    
            Not After : Jan  7 23:59:59 2010 GMT                          
[root@centos5-64-herc tls]# openssl x509 -text -noout -in /etc/pki/tls/certs/ca-bundle.crt 
Certificate:     
    Data:        
        Version: 1 (0x0)
        Serial Number:  
            02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0
        Signature Algorithm: md2WithRSAEncryption          
        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority                                                           
        Validity                                                          
            Not Before: Nov  9 00:00:00 1994 GMT                          
            Not After : Jan  7 23:59:59 2010 GMT       
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
                   
        Subject: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority                                                          
        Subject Public Key Info:                                          
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1000 bit)
                Modulus (1000 bit):
                    00:92:ce:7a:c1:ae:83:3e:5a:aa:89:83:57:ac:25:
                    01:76:0c:ad:ae:8e:2c:37:ce:eb:35:78:64:54:03:
                    e5:84:40:51:c9:bf:8f:08:e2:8a:82:08:d2:16:86:
                    37:55:e9:b1:21:02:ad:76:68:81:9a:05:a2:4b:c9:
                    4b:25:66:22:56:6c:88:07:8f:f7:81:59:6d:84:07:
                    65:70:13:71:76:3e:9b:77:4c:e3:50:89:56:98:48:
                    b9:1d:a7:29:1a:13:2e:4a:11:59:9c:1e:15:d5:49:
                    54:2c:73:3a:69:82:b1:97:39:9c:6d:70:67:48:e5:
                    dd:2d:d6:c8:1e:7b
                Exponent: 65537 (0x10001)
    Signature Algorithm: md2WithRSAEncryption
        65:dd:7e:e1:b2:ec:b0:e2:3a:e0:ec:71:46:9a:19:11:b8:d3:
        c7:a0:b4:03:40:26:02:3e:09:9c:e1:12:b3:d1:5a:f6:37:a5:
        b7:61:03:b6:5b:16:69:3b:c6:44:08:0c:88:53:0c:6b:97:49:
        c7:3e:35:dc:6c:b9:bb:aa:df:5c:bb:3a:2f:93:60:b6:a9:4b:
        4d:f2:20:f7:cd:5f:7f:64:7b:8e:dc:00:5c:d7:fa:77:ca:39:
        16:59:6f:0e:ea:d3:b5:83:7f:4d:4d:42:56:76:b4:c9:5f:04:
        f8:38:f8:eb:d2:5f:75:5f:cd:7b:fc:e5:8e:80:7c:fc:50
[root@centos5-64-herc tls]#
Comment 4 Tomas Mraz 2013-10-31 10:32:54 UTC 
This Bugzilla has been reviewed by Red Hat and is not planned on being
addressed in Red Hat Enterprise Linux 5, and therefore will be closed.
If this bug is critical to production systems, please contact your Red
Hat support representative and provide sufficient business
justification.