openssh bugs - Aug 2021 - [Bug 3342] New: openssl s_client gives: Verification error: certificate signature failure (on 1 machine; works on ther 3 machines)

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

            Bug ID: 3342
           Summary: openssl s_client gives:   Verification error:
                    certificate signature failure (on 1 machine; works on
                    ther 3 machines)
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: m.busico at ieee.org

Created attachment 3544
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3544&action=edit
Framework of test

I have a machine with an apache web server (see the framework in
attachment sslconfig.txt)

Accessing this server from machine 2  with the command

openssl s_client -connect p01serv.p01.net:443 -servername
p01serv.p01.net < /dev/null >sslmachine2error.txt 2>&1

gives the error
---
SSL handshake has read 1503 bytes and written 387 bytes
Verification error: certificate signature failure
---

Data for machine 2 (laptop)
name/address: santech 192.168.68.16
operating system: Linux santech 5.11.0-27-generic #29~20.04.1-Ubuntu
SMP Wed Aug 11 15:58:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
openssl version: OpenSSL 1.1.1f  31 Mar 2020
Result file: sslmachine2error.txt

Seems that I can add only one attachment. Here is the
sslmachine2error.txt content

depth=1 C = IT, ST = Italy, L = Rome, O = Busico Mirto, OU Laboratory, CN =
Busico Mirto, emailAddress = mirtobusico at gmail.com
verify return:1
depth=0 C = IT, ST = Italy, L = Rome, O = Busico Mirto, OU Laboratory, CN =
p01serv
verify error:num=7:certificate signature failure
verify return:1
depth=0 C = IT, ST = Italy, L = Rome, O = Busico Mirto, OU Laboratory, CN =
p01serv
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:C = IT, ST = Italy, L = Rome, O = Busico Mirto, OU = Laboratory,
CN = p01serv
   i:C = IT, ST = Italy, L = Rome, O = Busico Mirto, OU = Laboratory,
CN = Busico Mirto, emailAddress = mirtobusico at gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIUYXsfJE4WBeCew7IEHW59vmYyYIgwDQYJKoZIhvcNAQEL
BQAwgZUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9t
ZTEVMBMGA1UECgwMQnVzaWNvIE1pcnRvMRMwEQYDVQQLDApMYWJvcmF0b3J5MRUw
EwYDVQQDDAxCdXNpY28gTWlydG8xJDAiBgkqhkiG9w0BCQEWFW1pcnRvYnVzaWNv
QGdtYWlsLmNvbTAeFw0yMTA2MjUwODQ2NDVaFw0zMTA2MjMwODQ2NDVaMGoxCzAJ
BgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9tZTEVMBMGA1UE
CgwMQnVzaWNvIE1pcnRvMRMwEQYDVQQLDApMYWJvcmF0b3J5MRAwDgYDVQQDDAdw
MDFzZXJ2MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6zsapI3992k1
zBmwEa9+w4MNagtGiWVjrl90cn1htVv1GiU6ZLZgITePm4HD8Fnzs9E4vjQ8OFTT
2enmE56a9hmqhGtFM4VnT7jpmm0zKhD2Em+6/aJ9424kkx4/hspfZ6KyaED1sGG1
QJpaFEqfZAN4QIDgmowCUtjS7amit1OpQMt6MTz50yeSJGXV0QmGZQ+TOMQqF9hD
I4CqmVAYkNZ7eIHiuikmX5W7CVXbmJxnvEEDo6PpllpkBE95sKpG3/gTrtxMqsrq
v+hAmzYN05/VJ8CbpjjAHsOmgectmScBqdztMi3DH6jjqeZMDgAKcRVOT1+6CJiR
daWn4oIudwIDAQABoyEwHzAdBgNVHREEFjAUggdwMDFzZXJ2ggkqLnAwMS5uZXQw
DQYJKoZIhvcNAQELBQADggEBAENmMADNbjcfr3K/lDWTuPrMzNdqO252wUWO54rI
T8/i4Ls4pwcNzbxFL9dkDx3wefK0fuzzUcgdi/IYzRzXAxUC+jZhGrOldZQeMOtc
+gZVL+0Ac4SNqplaROJzCmU/8WXYROuEeTB1h8WImzo/UhGWGdt6l6NbZpqX9E+0
2udkHaLahLOnXpheLMBMqabOm/800dF9Jp4mr2Idchajjo3Kd5sVqwQ4wHz3QGnI
dej/P48PzaAjpT/Twt4q/tGh2eG291Ck8NZnyc48yizG2xPDma0N/nY0toYO8Fy5
f7fXo0Gw5B81FeW1gtgOi4Y7qLEq8poBgFFaf1A01Nub2ak-----END CERTIFICATE-----
subject=C = IT, ST = Italy, L = Rome, O = Busico Mirto, OU Laboratory, CN =
p01serv

issuer=C = IT, ST = Italy, L = Rome, O = Busico Mirto, OU = Laboratory,
CN = Busico Mirto, emailAddress = mirtobusico at gmail.com

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1503 bytes and written 387 bytes
Verification error: certificate signature failure
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 7 (certificate signature failure)
---
DONE


The same command from machine 1, machine 3 and machine 4 works
correctly without any error

What can I do / investigate?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

Mirto Silvio Busico <m.busico at ieee.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |m.busico at ieee.org

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

Mirto Silvio Busico <m.busico at ieee.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|enhancement                 |minor

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

Mirto Silvio Busico <m.busico at ieee.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|openssl s_client gives:     |openssl s_client gives:
                   |Verification error:         |Verification error:
                   |certificate signature       |certificate signature
                   |failure (on 1 machine;      |failure (on 1 machine;
                   |works on ther 3 machines)   |works on other 3 machines)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Mirto Silvio Busico from comment #0)
[...]
> What can I do / investigate?
well for a start you could ask the OpenSSL folks over at
https://www.openssl.org/community/ or
https://github.com/openssl/openssl/issues.  This is the bugzilla for
OpenSS*H*.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

--- Comment #2 from Mirto Silvio Busico <m.busico at ieee.org> ---
Thanks

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3342

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.