[Pkg-openssl-devel] Bug#541735: libssl0.9.8: unknown message digest algorithm error in heirloom-mailx
Paul Vojta
vojta at math.berkeley.edu
Sun Aug 16 01:02:58 UTC 2009
Package: libssl0.9.8
Version: 0.9.8k-4
Severity: important
With the above version of libssl0.9.8, I get the following error output when
trying to run heirloom-mailx:
> % heirloom-mailx
> Error with certificate at depth: 2 issuer = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority subject = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
> err 7: certificate signature failure
> Continue (y/n)? n
> could not initiate SSL/TLS connection: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
This does not occur if I revert back to libssl0.9.8 version 0.9.8k-1.
I believe that I can reproduce the error with the "openssl" command-line
program, using the command:
% openssl s_client -connect calmail.berkeley.edu:143 -CAfile /etc/ssl/certs/ca-certificates.crt -starttls imap
I have attached the output of running the above command with versions
0.9.8k-4 and 0.9.8k-1 of libssl0.9.8. (In both cases /usr/bin/openssl was
from openssl version 0.9.8k-4.)
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30
Locale: LANG=C, LC_CTYPE=en_US.ISO-8859-1 (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash
Versions of packages libssl0.9.8 depends on:
ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy
ii libc6 2.9-24 GNU C Library: Shared libraries
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
libssl0.9.8 recommends no packages.
libssl0.9.8 suggests no packages.
-- debconf information:
libssl0.9.8/restart-failed:
libssl0.9.8/restart-services:
-------------- next part --------------
% openssl s_client -connect calmail.berkeley.edu:143 -CAfile /etc/ssl/certs/ca-certificates.crt -starttls imap
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
verify return:1
depth=0 /C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDTCCA/WgAwIBAgIQeUjBtO4cPDb1XLwR2sFhrTANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA3MDkyNDAwMDAw
MFoXDTA5MTAxMzIzNTk1OVowgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMREwDwYDVQQHFAhCZXJrZWxleTEUMBIGA1UEChQLVUMgQmVya2VsZXkx
FDASBgNVBAsUC0lTVC1JUy1JQUFTMR0wGwYDVQQDFBRjYWxtYWlsLmJlcmtlbGV5
LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArIbXliYjHAQOEy4yi/Bq
uiSJg/5Na/B7Id8PKV5mIv87VDSbemOakvKU+i+XCViHnwjqlkja/SJkEAEgUgom
IKyrsdcGtJUxbpV92KJy+8QvT34mKTOPIWIqFhGpogXIxZ1xVm97LIWUHzwolzMF
9YOkt03OMRRgxTOmwTOL0BMCAwEAAaOCAdMwggHPMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJTZWN1cmUtY3JsLnZl
cmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG
+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y
cGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFG/s
r6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAChjdodHRwOi8vU1ZS
U2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAwNS1haWEuY2VyMG4G
CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoE
FEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNv
bS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAifpgIaLKrN5jKw9H0yCw
Di2/a5QW6S0OCom08XqyZK9+crocSb8eJ8VRvAPSmjX3JH2YI9ax+Vs4oC/zDH25
bukDqih8MnOQfuBoGJpqbQB1mcXN+OqYjCdBgTO6CoR8yinpdH40z81ykPlBeJJB
x9j6S3YoDDMmHDP79IgcWANTcMW7NN5zWBqQ0VawRSRZOsXMe+2TCCh3gpIzmzYP
dfEtHhtF8drxljalCuwGY9DzXTcF71gu+3kc4S1VnL1ynBUqN5YetN91TNAgN38u
6+zEyKL/JkFvJpBuJxrQGl5N1G0AT5MvY073jlXSwQPvFJaKkeAM8lxsFwnvv6hT
Pg==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3630 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 6C4CDBA499897F824514138C17AC3E0EE436EB8EC60A219917A273D7AFA2ABE9
Session-ID-ctx:
Master-Key: 4FE917EA10419AA67C808B3CBEEBA7B6780760C52CD260D8536176812A843BAC8F902FA4676DEDB6FFB4B03DBC3A6E47
Key-Arg : None
Start Time: 1250383531
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
. OK Completed
DONE
-------------- next part --------------
% openssl s_client -connect calmail.berkeley.edu:143 -CAfile /etc/ssl/certs/ca-certificates.crt -starttls imap
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=7:certificate signature failure
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDTCCA/WgAwIBAgIQeUjBtO4cPDb1XLwR2sFhrTANBgkqhkiG9w0BAQUFADCB
sDELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMh
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBMB4XDTA3MDkyNDAwMDAw
MFoXDTA5MTAxMzIzNTk1OVowgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp
Zm9ybmlhMREwDwYDVQQHFAhCZXJrZWxleTEUMBIGA1UEChQLVUMgQmVya2VsZXkx
FDASBgNVBAsUC0lTVC1JUy1JQUFTMR0wGwYDVQQDFBRjYWxtYWlsLmJlcmtlbGV5
LmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArIbXliYjHAQOEy4yi/Bq
uiSJg/5Na/B7Id8PKV5mIv87VDSbemOakvKU+i+XCViHnwjqlkja/SJkEAEgUgom
IKyrsdcGtJUxbpV92KJy+8QvT34mKTOPIWIqFhGpogXIxZ1xVm97LIWUHzwolzMF
9YOkt03OMRRgxTOmwTOL0BMCAwEAAaOCAdMwggHPMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgWgMEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9TVlJTZWN1cmUtY3JsLnZl
cmlzaWduLmNvbS9TVlJTZWN1cmUyMDA1LmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG
+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9y
cGEwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFG/s
r6DdiqTv9SoQZy0/VYK81+8lMHkGCCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYY
aHR0cDovL29jc3AudmVyaXNpZ24uY29tMEMGCCsGAQUFBzAChjdodHRwOi8vU1ZS
U2VjdXJlLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlMjAwNS1haWEuY2VyMG4G
CCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoE
FEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlzaWduLmNv
bS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAifpgIaLKrN5jKw9H0yCw
Di2/a5QW6S0OCom08XqyZK9+crocSb8eJ8VRvAPSmjX3JH2YI9ax+Vs4oC/zDH25
bukDqih8MnOQfuBoGJpqbQB1mcXN+OqYjCdBgTO6CoR8yinpdH40z81ykPlBeJJB
x9j6S3YoDDMmHDP79IgcWANTcMW7NN5zWBqQ0VawRSRZOsXMe+2TCCh3gpIzmzYP
dfEtHhtF8drxljalCuwGY9DzXTcF71gu+3kc4S1VnL1ynBUqN5YetN91TNAgN38u
6+zEyKL/JkFvJpBuJxrQGl5N1G0AT5MvY073jlXSwQPvFJaKkeAM8lxsFwnvv6hT
Pg==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Berkeley/O=UC Berkeley/OU=IST-IS-IAAS/CN=calmail.berkeley.edu
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3630 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 51C807DC5B93C1B9F97C3C8F279D8DCC5CCD8F35B110654777F6A4B88CF1A299
Session-ID-ctx:
Master-Key: 32CF179DEA51737C5509D335AFD8E6D5DEBE449FA08259613BD78B41B8EB03E9CD8F3D101637D105C9EF7C8124915C57
Key-Arg : None
Start Time: 1250383611
Timeout : 300 (sec)
Verify return code: 7 (certificate signature failure)
---
. OK Completed
DONE
More information about the Pkg-openssl-devel
mailing list