Comment 12 for bug 1014640

There seems to be a mismatch between the "VeriSign Class 3 Public Primary Certification Authority - G5" cert that is in Ubuntu, and the one that is at the end of the cert chain returned by www.postfinance.ch:

In Ubuntu:

VeriSign Class 3 Public Primary Certification Authority - G5
Serial Number: 18:da:d1:9e:26:7d:e8:bb:4a:21:58:cd:cc:6b:3b:4a
Validity Not Before: Nov 8 00:00:00 2006 GMT
         Not After : Jul 16 23:59:59 2036 GMT

www.postfinance.ch returns:

VeriSign Class 3 Public Primary Certification Authority - G5
Serial Number: 57:bf:fb:03:fb:2c:46:d4:e1:9e:ce:e0:d7:43:7f:13
Validity Not Before: Wed Nov 08 00:00:00 UTC 2006
         Not After: Sun Nov 07 23:59:59 UTC 2021

This results in openssl not being able to validate the chain.
In theory, openssl should discover that the second to last cert in the postfinance.ch chain can be validated with the CA in Ubuntu like NSS and gnutls do, but it doesn't. See upstream openssl bug.