= bug description =
kojipkgs.fedoraproject.org sends the server certificate twice: once at the start of the chain, then again as the first intermediate. Then it sends a DigiCert intermediate as the third and final cert.
= bug analysis =
{{{ $ gnutls-cli kojipkgs.fedoraproject.org Processed 182 CA certificate(s). Resolving 'kojipkgs.fedoraproject.org'... Connecting to '209.132.181.10:443'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedoraproject.org', issuerC=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA', RSA key 4096 bits, signed using RSA-SHA256, activated 2014-04-22 00:00:00 UTC', expires2017-04-26 12:00:00 UTC', SHA-1 fingerprint `397a9c0813c2fb2e708063109586ff8805cfb86e' Public Key ID: 5fdf01b948c3491e6ad97783db51802d1dae2d7d Public key's random art: +--[ RSA 4096]----+ | o +oo.| | B =.= .| | + B .+ | | . . ++ o| | S .+oooE| | . . o o.| | . . .| | | | | +-----------------+
C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedoraproject.org', issuer
2014-04-22 00:00:00 UTC', expires
C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA', issuer
2013-10-22 12:00:00 UTC', expires
So Certificate[0] == Certificate[1]. Most tools (including gnutls-cli) will ignore the duplicate cert, but it's arguably invalid. glib-networking prior to 2.42 will reject a chain unless each certificate is followed by its issuer. This is probably why you can't connect to this site e.g. using libsoup on RHEL 7.1. I think F20 will be broken too. Easiest way to test would be to just try loading the page in Epiphany.
= fix recommendation =
Send the Fedora cert only once. With Apache, I think you'll have one file for the server cert and one for all the intermediates: the DigiCert cert is your only intermediate so it should be alone in that file.
This very much looks like: http://bugs.squid-cache.org/show_bug.cgi?id=3849
which was fixed a while ago upstream, but isn't in the rhel7 version of squid we are using. ;(
Will see if we can get them to backport it: https://bugzilla.redhat.com/show_bug.cgi?id=1204375
ok, we have deployed a squid package with the fix that will be in some future rhel 7 package.
Please let us know if you still see any issues here.
Log in to comment on this ticket.