BUG REPORT - Problems with new VeriSign SSL certificates not validating on PGP Universal 3.2.1 or Symantec Encryption Management Server 3.3.0

Article:TECH194325  |  Created: 2012-08-02  |  Updated: 2013-07-23  |  Article URL http://www.symantec.com/docs/TECH194325
Article Type
Technical Solution


Issue



Symantec has received reports of problems from customers who were on a release prior to version 3.x of PGP Universal Server and then upgraded the server to a version prior to Symantec Encryption Management Server 3.3.0 MP2 this includes PGP Universal Server 3.2.1 and older. This problem can also occur on new installation of Symantec Encryption Management Server 3.3.0 as well.

The problem is with certain SSL certificates that were issued by VeriSign after Q4 of 2010 are no longer working.

Error



The Clustering SSL or pgptcpwrapper logs in debug mode displays a message similar to the following:

 
TLS [E]: Read zero bytes from the blocking socket
Received TLS alert level=2, type=46
 
In normal logging level you might just see an error such as:
failed: the remote system aborted the TLS connection
 
The cluster logs in debug mode might display an error such as:
DEBUG pgp/cluster[2002]: [CommLink] shutdown link...13a34af[SSL_NULL_WITH_NULL_NULL: Socket[addr=XX.XX.XX.XX,port=444,localport=32734]]
 
PGP Desktop clients may receive a warning stating that the certificate is invalid. If this is the case, verify that their Windows CAPI store has the updated Root Certificate chain in there as well.

Environment



PGP Universal Server 3.x server with a PUP update to PGP Universal Server 3.2.1 or Symantec Encryption Management Server 3.3.0

PGP Universal Server 3.2.1 or newer new installation with new VeriSign SSL (Basic, Premium or EV) certificate issued on or after Q4 of 2010


Cause



Cause 1)

Symantec Encryption Management Server (previously PGP Universal Server) version 3.3.0 is missing one of the intermediate or Root Certificates from VeriSign which all of new Basic SSL, Premium SSL, and Extended Validation (EV) SSL certificates have been issued under since Q4 of 2010.  Also these newer EV SSL certificates require an additional Primary Intermediate Certificate that is missing in current version of the product.
 
Cause 2)
If you already imported the missing root and intermediate level certificates into the Trusted Keys section of the server. But you PUP update to a version prior to 3.3.0 MP2 (such as 3.3.0 MP1) it will remove that certificate from Trusted Keys and overwrite the newly imported Root Certificate with the older certificate used for those types of certificates (prior to 2010).

Solution



Solution to Cause 1 requires an update to Symantec Encryption Management Server software.

Symantec Corporation is committed to product quality and satisfied customers. This issue is currently being considered by Symantec Corporation to be addressed in a forthcoming version or Maintenance Pack of the product. Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.
 
Solution to Cause 2 has been resolved in Symantec Encryption Management Server version 3.3.0 MP2 or later. Please obtain a copy of the latest Symantec Encryption Management server release on fileconnect at:
 
 
Workaround:
 
You will need to manually import the Trusted Root Certificate (and also the Primary Intermediate Certificate in the case of EV SSL certificate) into the Trusted Keys section of the PGP Universal Server.
 
FYI: As a reference – we obtained the certificates associated with this KB from the following sites.
All the VeriSign Root Certificates can be found here:
All the Intermediate Certificates from VeriSign can be found here:
 
If you aren't sure which SSL certificate type you have. Have a look at this site here.
 
Steps to accomplish this:
 

1)      In the case of using most Basic and Premium SSL certificates you can use the copies of the Intermediate Certs included in this KB. Download the verisign_intermediate_primary.pem and Verisign_intermediate_secondary_plus_root.p7b files and possibly the verisign_roots.zip files and save them to a location on your computer.

2)      Login to the PGP Universal Server on port 9000
3) Click on Keys > Trusted Keys.
4) Click on Add Trusted Key.
5) Click Browse.
6) Select the file(s) that were downloaded from VeriSign’s site (one by one) and import them into PGP Universal Server.
7) Select all the trust options or the trust options you wish to use for those Certificates.
8) Click Save.
9) Close your browser and then re-access the PGP Universal administrative interface.
10) Use the usual verification methods in your browser to verify the site. This varies by browser. But in the case of an EV SSL certificate. You will get the green bar in your address bar.
 
NOTE: If certificate verification still fails then Apache may need to have the certificate chain file rebuilt. The easiest way to do this is to change the Certificate on the System --> Network tab. Then click Save. You can also use SSH with putty and issue the following command which will also rebuild the Apache configuration and chain file:
pgpsysconf --apache

Attachments

verisign_intermediate_primary.pem
verisign_intermediate_primary.pem (2 kBytes)
verisign_roots.zip
Verisign_roots.zip (48 kBytes)


Verisign_intermediate_secondary_plus_root.p7b
Verisign_intermediate_secondary_plus_root.p7b (3 kBytes)

Supplemental Materials

SourceETrack
Value2861800
Description

Unable to establish TLS negotiation(tcpwrapper) with VeriSign certificate after updating from 3.2 MP5 to 3.2.1 or later


SourceETrack
Value2686940
Description

Update the trusted root certificate list


SourceETrack
Value2805736



Article URL http://www.symantec.com/docs/TECH194325


Terms of use for this information are found in Legal Notices