tickets #139007
openstatic.opensuse.org SSL problems when using openssl 1.0
0%
Description
Hi,
When connecting to static.opensuse.org with openssl 1.0 (e.g. from SLES 12 SP5):
we get a bad chain of certs:
$ openssl s_client -connect static.opensuse.org:443
CONNECTED(00000003)
depth=1 O = Heroes internal CA, CN = Heroes internal CA Intermediate CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=atlas.infra.opensuse.org
i:/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
1 s:/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
i:/O=Heroes internal CA/CN=Heroes internal CA Root CA
---
Server certificate
This is openssl 1.0.2p.
When using openssl-1_1 on the very same VM:
$ openssl-1_1 s_client -connect static.opensuse.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = static.opensuse.org
verify return:1¶
Certificate chain
0 s:CN = static.opensuse.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3¶
This is openssl 1.1.1d.
openssl 3 from TW also works.
Both commandline tools connect to the IPv6 address 2a07:de40:b27e:1204::10.
Do you have an idea what could cause this weird issue?
Ciao, Marcus