# Missing root certificate(?) [Verisign EV]

## fuzzykiller

I've got some ssl errors in PHP recently, with steamcommunity.com.

Sure enough, checking the server certificate confirms the problem:

```
jupiter certs # openssl s_client -showcerts -connect steamcommunity.com:443 -CApath /etc/ssl/certs/

CONNECTED(00000003)

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=602290773/C=US/ST=Washington/L=Bellevue/O=Valve Corporation/OU=Steam/OU=Terms of use at www.verisign.com/rpa (c)05/CN=steamcommunity.com

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA

-----BEGIN CERTIFICATE-----

MIIGMzCCBRugAwIBAgIQab7M2+WbXblA6X67NZTQWDANBgkqhkiG9w0BAQUFADCB

vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug

YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv

VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew

HhcNMTEwMzA3MDAwMDAwWhcNMTMwMzA5MjM1OTU5WjCCARgxEzARBgsrBgEEAYI3

PAIBAxMCVVMxGzAZBgsrBgEEAYI3PAIBAhQKV2FzaGluZ3RvbjEdMBsGA1UEDxMU

UHJpdmF0ZSBPcmdhbml6YXRpb24xEjAQBgNVBAUTCTYwMjI5MDc3MzELMAkGA1UE

BhMCVVMxEzARBgNVBAgUCldhc2hpbmd0b24xETAPBgNVBAcUCEJlbGxldnVlMRow

GAYDVQQKFBFWYWx2ZSBDb3Jwb3JhdGlvbjEOMAwGA1UECxQFU3RlYW0xMzAxBgNV

BAsUKlRlcm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEb

MBkGA1UEAxQSc3RlYW1jb21tdW5pdHkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC

AQ8AMIIBCgKCAQEA4eXjyOWU7UT/ks/nIxQmjTH3jJnUiIHsbZljNJgyRzD1Z2qR

bUHRlqlzgNMr/QQ8V9pKdlBgXqym8oHnHg04H2cdnK8X7FnCSOT7DPVb/cE/YfdN

4wFzTntBRqbFnTVDoMuutj1JOo1EQr+ImvswY4Vh0Lj55LNBl58XRKzzlBq7dTbG

jfCcIki52wPxucP1ltGNPQdHeZQ6yjoVsw7oehyzCXk00/0XTVBgxRMokc1pd/r1

3cmd4Yf+XUe4yul6Ns7lnlU1TyEfJZFTCxGB6zfkdGelXDEO0RHfayf8MLZ05CIq

ktrZzCdbVQj+OhiKQ2FAqOKZnW1V4MekdoDsDwIDAQABo4IBzjCCAcowCQYDVR0T

BAIwADALBgNVHQ8EBAMCBaAwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXBjAqMCgG

CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMD4GA1UdHwQ3

MDUwM6AxoC+GLWh0dHA6Ly9FVkludGwtY3JsLnZlcmlzaWduLmNvbS9FVkludGwy

MDA2LmNybDAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIE

ATAfBgNVHSMEGDAWgBROQ8gddu83U3pP8lhvlPM44tW93zBvBggrBgEFBQcBAQRj

MGEwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTA5BggrBgEF

BQcwAoYtaHR0cDovL0VWSW50bC1haWEudmVyaXNpZ24uY29tL0VWSW50bDIwMDYu

Y2VyMG4GCCsGAQUFBwEMBGIwYKFeoFwwWjBYMFYWCWltYWdlL2dpZjAhMB8wBwYF

Kw4DAhoEFEtruSiWBgy70FI4mymsSweLIQUYMCYWJGh0dHA6Ly9sb2dvLnZlcmlz

aWduLmNvbS92c2xvZ28xLmdpZjANBgkqhkiG9w0BAQUFAAOCAQEAI1XuqSWN5B2C

VXtbaVnpCfVgKLafoL1758Sx6t39ZupLX6kQeA9v83u28E6iaNItvj1Qf3CwcZmG

twxvglikqGMVgGgXKBOaWlS8AEIq4hmFCBKagJVfA2DGz9JJCMsjaFRaU2CEx7I1

BZaq7xALRzQ9m/yi8WFg3BxIeYgY8O8FzJQar9QhHDwmD5O/bHpbvuOTcp+b51GJ

eLOGZnT4udTKYSCqnR+dyTo1FAe9p9VuZ+4VW0JNkvusfZuh3YxvdwcX6n1zYnzh

h5LClbfbyiwcyQ4w7HLVfkIxahWRdGwsw9GMHBlL1aldpBozFhY5gqlmBJeCiSny

kNTUWCncPw==

-----END CERTIFICATE-----

 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

-----BEGIN CERTIFICATE-----

MIIFEzCCBHygAwIBAgIQV7/7A/ssRtThns7g10N/EzANBgkqhkiG9w0BAQUFADBf

MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT

LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw

HhcNMDYxMTA4MDAwMDAwWhcNMjExMTA3MjM1OTU5WjCByjELMAkGA1UEBhMCVVMx

FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz

dCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2lnbiwgSW5jLiAtIEZv

ciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJpU2lnbiBDbGFzcyAz

IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzUwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1nmAMqudLO07cfLw8

RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbext0uz/o9+B1fs70Pb

ZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIzSdhDY2pSS9KP6HBR

TdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQGBO+QueQA5N06tRn/

Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+rCpSx4/VBEnkjWNH

iDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/NIeWiu5T6CUVAgMB

AAGjggHeMIIB2jAPBgNVHRMBAf8EBTADAQH/MDEGA1UdHwQqMCgwJqAkoCKGIGh0

dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA4GA1UdDwEB/wQEAwIBBjBt

BggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglpbWFnZS9naWYwITAfMAcGBSsOAwIa

BBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNodHRwOi8vbG9nby52ZXJpc2lnbi5j

b20vdnNsb2dvLmdpZjA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc

aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczAdBgNVHQ4EFgQUf9Nlp8Ld7Lvw

MAnzQzn6Aq8zMTMwNAYDVR0lBC0wKwYJYIZIAYb4QgQBBgpghkgBhvhFAQgBBggr

BgEFBQcDAQYIKwYBBQUHAwIwgYAGA1UdIwR5MHehY6RhMF8xCzAJBgNVBAYTAlVT

MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJs

aWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eYIQcLrkHRDZKTS2OMp7

A8y6vzANBgkqhkiG9w0BAQUFAAOBgQCpe2YpMPfVtKaWEtDucvBYEWkVVV9B/9IS

hBOk2QNm/6ngTMntjHKLtNdVOykVYMg8Ie9ELpM9xgsMjSQ/HvsBWnrdg2YU0cf9

MFNIUYWFE6hU4e52ookY05eJesb9s72UYVo6CM8Uk72T/Qmpe1bIALhEWOneW3e9

BxxsCzAwxw==

-----END CERTIFICATE-----

 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

-----BEGIN CERTIFICATE-----

MIIGHjCCBQagAwIBAgIQLEjdkw31WY75PJlUemDtQzANBgkqhkiG9w0BAQUFADCB

yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL

ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp

U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW

ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0

aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMTYxMTA3MjM1OTU5WjCBvjEL

MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW

ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg

aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMvVmVy

aVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0EwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9Voi6iDRkZM/NyrDu5xlzxXLZ

u0W8taj/g74cA9vtibcuEBolvFXKQaGfC88ZXnC5XjlLnjEcX4euKqqoK6IbOxAj

XxOx3QiMThTag4HjtYzjaO0kZ85Wtqybc5ZE24qMs9bwcZOO23FUSutzWWqPcFEs

A5+X0cwRerxiDZUqyRx1V+n1x+q6hDXLx4VafuRN4RGXfQ4gNEXb8aIJ6+s9nriW

Q140SwglHkMaotm3igE0PcP45a9PjP/NZfAjTsWXs1zakByChQ0GDcEitnsopAPD

TFPRWLxyvAg5/KB2qKjpS26IPeOzMSWMcylIDjJ5Bu09Q/T25On8fb6OCNUfAgMB

AAGjggIIMIICBDAdBgNVHQ4EFgQUTkPIHXbvN1N6T/JYb5TzOOLVvd8wEgYDVR0T

AQH/BAgwBgEB/wIBADA9BgNVHSAENjA0MDIGBFUdIAAwKjAoBggrBgEFBQcCARYc

aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2NwczA9BgNVHR8ENjA0MDKgMKAuhixo

dHRwOi8vRVZTZWN1cmUtY3JsLnZlcmlzaWduLmNvbS9wY2EzLWc1LmNybDAOBgNV

HQ8BAf8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMG0GCCsGAQUFBwEMBGEwX6Fd

oFswWTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrU

SBgsexkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMCkG

A1UdEQQiMCCkHjAcMRowGAYDVQQDExFDbGFzczNDQTIwNDgtMS00ODAfBgNVHSME

GDAWgBR/02Wnwt3su/AwCfNDOfoCrzMxMzA9BggrBgEFBQcBAQQxMC8wLQYIKwYB

BQUHMAGGIWh0dHA6Ly9FVlNlY3VyZS1vY3NwLnZlcmlzaWduLmNvbTA0BgNVHSUE

LTArBglghkgBhvhCBAEGCmCGSAGG+EUBCAEGCCsGAQUFBwMBBggrBgEFBQcDAjAN

BgkqhkiG9w0BAQUFAAOCAQEAJ3SmNOodneFT1hydDKdbTKln8vAytwEP+0IYON7k

7knIE8kL7ATDQHEYcnZDAiNdq3vISBQayHsd/PYKnzah0glzcWaWdVE0v5kwUWed

VLcmRaxzCCOGJplx9I7X6jmbBgkjv2LdqMS2faSJBz7zba5AWVB5lzc9Mnh9smNL

+eoIaQ4T7ejPu6wFhsoiz4hiXTwiSdhj1SSmve9c48wgOyLq/ETGqOUf4YbNDE2P

k1PZf+6hCKezMJZJcG6jbD3QY+8lZmPMqrcYF07qcHb2ukKmgDcJTp9miC5rM2bI

wHGkQeta4/wULkuI/a5uW2XpJ+S/5LAjwbJ9W2Il1z4Q1A==

-----END CERTIFICATE-----

---

Server certificate

subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Washington/businessCategory=Private Organization/serialNumber=602290773/C=US/ST=Washington/L=Bellevue/O=Valve Corporation/OU=Steam/OU=Terms of use at www.verisign.com/rpa (c)05/CN=steamcommunity.com

issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA

---

No client certificate CA names sent

---

SSL handshake has read 5343 bytes and written 409 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS NOT supported

Compression: zlib compression

Expansion: zlib compression

SSL-Session:

    Protocol  : TLSv1

    Cipher    : DHE-RSA-AES256-SHA

    Session-ID: 5139C67FFD8A8AB331C4A5BBE6E4C459D90FF44C8CB19AD97F1CAA3E544A2541

    Session-ID-ctx:

    Master-Key: AF7153E2474BE7612DB75CA4156C27B3D7A5B9154273A89E903521150FBA3A89844D86825326D4A60CF0362D92EFC335

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    TLS session ticket:

    0000 - 88 b3 b1 47 0a 8a 19 9b-de 5c 49 6b 30 77 be 71   ...G.....\Ik0w.q

    0010 - 27 01 59 9c 58 e6 98 84-cd 70 a5 3b cd d8 f7 c8   '.Y.X....p.;....

    0020 - 29 8c 61 a8 a9 c6 41 c2-29 75 e7 14 96 08 15 76   ).a...A.)u.....v

    0030 - 9e 43 9d 31 68 cf 62 63-e2 3d dc bf db 78 55 95   .C.1h.bc.=...xU.

    0040 - 01 91 ee dd da 8d 81 64-e4 da d9 8f 7b a8 65 6d   .......d....{.em

    0050 - 64 94 38 19 a5 d5 f7 e4-30 17 30 b6 3b 7b a8 4e   d.8.....0.0.;{.N

    0060 - fa cd e5 92 e8 4e bb 6e-e0 da fe c5 22 a0 09 37   .....N.n...."..7

    0070 - 60 c2 fe a1 a0 45 4f 52-fd 54 a1 b0 fa 4b 54 c8   `....EOR.T...KT.

    0080 - 2a bd bd ab b1 2a ad e7-9d 01 15 e8 df 64 8c 10   *....*.......d..

    0090 - 1e ad dd cc 57 50 54 92-f4 04 80 33 c6 aa ae e8   ....WPT....3....

    00a0 - 4e c0 1c e7 99 53 ec 77-58 6d 4b be e5 d1 f7 9a   N....S.wXmK.....

    00b0 - b5 a7 70 46 ea 5b 2f dd-e6 07 49 2b 88 14 e7 89   ..pF.[/...I+....

    Compression: 1 (zlib compression)

    Start Time: 1320431561

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

DONE

```

Same error as with PHP.

Even though the certificate "VeriSign Class 3 Public Primary Certification Authority - G5" says it's issued by "Class 3 Public Primary Certification Authority", which is contained in Gentoo, it won't verify with "openssl verify".

In Firefox, "VeriSign Class 3 Public Primary Certification Authority - G5" is a built-in certificate with issuer == subject. Windows does however still list "Class 3 Public Primary Certification Authority" as the parent in the chain.

I've reinstalled ca-certificates three times and cleaned up /etc/ssl/certs, so I guess that's okay. It happens on all Gentoo installations I have.

And now my coffee's cold. P:

/edit:

Also, there's two certificates of this name. I know, this is a Windows screenshot, but...  :Wink: 

The right one is the one Windows has in the certificate store and which is also available on the Verisign website. It's also contained in Firefox. The one on the left is provided by the Steam website.

http://upload.gekl4ut.de/s/Verisign.c8ea48a32d3c6b93ad436bc17e0420ed61632828.PNG

As you can see, the fingerprint is different.

----------

## fuzzykiller

Anyone? To clarify the problem: The certificate verification fails. Now I sure could easily install the other G5 certificate in place of the existing one, but that'll likely break things on the other end. From what I understand, OpenSSL looks for certificates based on a hash of the subject field, which is the same.

So is there any cool solution to this or do I need to ask Valve & Verisign wtf they are doing?

----------

## pigiron

Wow! Confusing and scary.

I was able to repeat the same failure with the steamcommunity.com certs... but have not found an answer as to why they don't verify.

I even downloaded the root certificate(s) from VeriSign's website and unsuccessfully used those for verification using "openssl verify". Once I got rid of the carriage returns, and added an ending new line at the end of the file(s), they matched Firefox's root certs exactly... so I guess that's not too surprising.

At first I thought the problem could be that one of the certificates from the cert chain downloaded from steamcommunity.com was signed by "VeriSign Class 3 Public Primary Certification Authority - G5"... and a root cert exists for that in the Firefox package... and if you use the "-issuer_hash" parameter on the "openssl x509" command against that steamcommunity downloaded cert, the hash matches that root cert found in /etc/ssl/certs.

BUT... another cert downloaded in the cert chain from steamcommunity.com shows that the "VeriSign Class 3 Public Primary Certification Authority - G5" cert was actually signed by the "Class 3 Public Primary Certification Authority" root certificate... and that root cert also exists in the Firefox package... and the issuer hash of that Steam cert also matches one of those found in /etc/ssl/certs.

Why there are two possible root certs for Steam's cert chain I have no idea, and it doesn't sound like a great idea.

So... my thought was that the verify operation was getting confused about which root cert it should be using. So I copied all the certs from Firefox into the /tmp directory, then removed the "VeriSign Class 3 Public Primary Certification Authority - G5" cert. Next I did a "cat" on all the remaining certs, and used that file as the trusted certs in the "openssl verify" command. But the command still complains exactly the same.

I don't have a Windows box, so I can't go there... and you unfortunately use the following to explain some of it:

"Also, there's two certificates of this name."

But you talk about multiple certs, so I'm confused about which one you mean... but none of the certs that I downloaded from the Steam site are root certs (and that's normal), so I would expect any fingerprints to be different.

I even tried some "openssl ocsp" operations to see if the cert(s) were revoked, but hit an "unauthorized" problem... such is life I guess.

So like I said... confusing and scary.

----------

## fuzzykiller

I didn't have much time lately, but maybe I've got a few things wrong. From what I understand, there is a unique relation between issuer certificate and subject certificate, which is what openssl verify and hopefully any application checks. The flaw is that while the relation is unique, it is still based on the CN of the certificates, which are not unique. So a less sophisticated algorithm might select the wrong issuer certificate for verification, which then fails.

I guess the question really is: Is it possible to move away from this CN-based certificate lookup? It clearly breaks the moment there's two certificates with the same CN.

----------

