Two error messages from my web browser (Opera) when trying to connect to https://bugs.gentoo.org/ (1) This site is using an outdated encryption method which is no longer classified as secure. It cannot sufficiently protect sensitive data. Do you wish to continue? (2) The root certificate from "CA Cert Signing Authority" is not known to Opera. Opera cannot decide if this certificate can be trusted. Reproducible: Always Steps to Reproduce: 1. Connect to https://bugs.gentoo.org/ 2. 3. Actual Results: Should show a security padlock and no certificate warnings/errors. Expected Results: Get the error message above. You should configure the web server correctly. It has to present all intermediate certificates to the web browser. You can assume that only the Root certificate is already installed on my system. The message about the outdated/weak encryption method is another issue. I've classed this as a "major" problem because, if you think you need a https connection at all, then you must have a major reason for it, and then it should be implemented correctly.
This is not a major bug; Your logic for why people use https is flawed. You can import CACerts root certs from here: http://www.cacert.org/index.php?id=3 The SSL chain which shows that the root cert is self signed by CACert: mike@koala ~ $ openssl s_client -connect bugs.gentoo.org:443 -verify 10 verify depth is 10 CONNECTED(00000003) depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org verify error:num=19:self signed certificate in certificate chain verify return:1 depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org verify return:1 depth=1 /O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root verify return:1 depth=0 /C=US/ST=New Mexico/L=Albuquerque/O=GENTOO Foundation, Inc./OU=Gentoo Infrastructure/CN=bugs.gentoo.org verify return:1 --- Certificate chain 0 s:/C=US/ST=New Mexico/L=Albuquerque/O=GENTOO Foundation, Inc./OU=Gentoo Infrastructure/CN=bugs.gentoo.org i:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org 2 s:/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert Class 3 Root i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org ---
There's no point in importing a security certificate from a http: link - I cannot trust it.
Here's an SSL link to find the root cert: https://www.cacert.org/index.php?id=3 But you're still in the catch-22 that it's used to sign that same page you're getting it from. The ca-certificates package already includes these certificates as well, so you can just install from there too, and avoid going over the Internet at all. Also, we DO present the entire chain: - bugs.gentoo.org - CAcert Class 3 Root - CA Cert Signing Authority (root).
I think I found the problem. CA Cert issues only self-signed certificates, and they did not submit their root certificate to the root certificate store of my browser. (Nor to those of any other browser, if I can believe Wikipedia: http://en.wikipedia.org/wiki/Cacert .) That's why my browser does not trust the bugs.gentoo.org certificate and I cannot verify the https link. Probably with non-browser software I could use the Gentoo certificate store to verify the link, but that's not so useful when I'm trying to open a website. This issue will be resolved when CA Cert completes submission of their certificates to the browser root stores.
- Any root certificates are by definition self-signed. - No CA issues self-signed certificates. - Work is ongoing to make browsers use the system cert store instead of their own.