After emerging openssl-0.9.8h-r1 some certificates fail to verify correctly. For me it is at least Thawte Premium Server certificates (used by German mail provider GMX). Reproducible: Always Steps to Reproduce: 1. emerge dev-libs/openssl-0.9.8h-r1 2. get GMX's pop3s certificate: # openssl s_client -connect pop.gmx.net:995 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \ > pop.gmx.net.pem (Press CTRL+D after verify the line "verify return:1" appears on the screen) 3. Verify certificate: # openssl verify pop.gmx.net.pem returns pop.gmx.net.pem: /C=DE/ST=Bayern/L=Munich/O=GMX GmbH/CN=pop.gmx.net error 20 at 0 depth lookup:unable to get local issuer certificate but should return pop.gmx.net.pem: OK The correct behaviour can be reproduced by using # openssl verify -CApath /etc/ssl/certs -CAfile \ /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt \ pop.gmx.net.pem but /etc/ssl/certs already contains a link to that CAfile, so it shouldn't be necessary to add it Actual Results: # emerge --info Portage 2.1.4.5 (default/linux/x86/2008.0/desktop, gcc-4.3.1, glibc-2.6.1-r0, 2.6.25-gentoo-r7 i686) ================================================================= System uname: 2.6.25-gentoo-r7 i686 Genuine Intel(R) CPU 2160 @ 1.80GHz Timestamp of tree: Mon, 01 Dec 2008 01:45:03 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.5.2-r7 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.4.6-r1 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1-r1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium-m -mtune=native -O3 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /etc/ppp /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/www/localhost" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=pentium-m -mtune=native -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks metadata-transfer sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.mirror.aarnet.edu.au/pub/gentoo http://ftp.mirror.aarnet.edu.au/pub/gentoo" LANG="en_DK.UTF-8" LC_ALL="en_DK.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en en_US en_DK en_GB en_AU de de_DE" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/java-overlay" SYNC="rsync://rsync.au.gentoo.org/gentoo-portage" USE="X X509 a52 aac ace acl acpi admin aim alsa amr ao apache2 async audacious audiofile autocreate automount autosieve bash-completion bdf berkdb binary-drivers bl bluetooth bonjour branding bzip2 cairo cddb cdparanoia cdr cli colordiff cpudetection cpufreq cracklib crypt css cups dbus dga dri dts dvb dvd dvdnav dvdr dvdread dvi dxr2 dxr3 ecc eds emboss encode esd evo fam fastcgi fat ffmpeg firefox flac flatfile fortran ftp gcj gdbm gif gnome gpm gs gstreamer gtk hal hddtemp icecast iconv icq id3 idea idled idn imagemagick imap ipv6 irc isdnlog jabber java5 java6 javascript jce jpeg jpeg2k junit kde ladspa lame latex ldap libnotify mad matroska md5sum midi mikmod mime mmap mmx mng modplug mp3 mp3rtp mp4 mp4live mpd mpeg mpeg2 mpi mplayer mpu401 msn mudflap musepack musicbrainz nas ncurses nfs nis nls nptl nptlonly nsplugin ntfs offensive ogg opengl openmp osc oscar pam pcre pdf perl php pmu png pnm portaudio posix ppds pppd pulseaudio python qt3 qt3support qt4 quicktime rar readline realmedia reflection replytolist rt61pci rtc sasl screen sdl sensord server session shorten silc smime smp sox speex spell spl srt ssl startup-notification svg swat sysfs syslog sysvipc szip tcpd tetex tga theora threads tiff tivo tools transcode transparency truetype tta type1 unicode unsupported_8bit upnp urandom usb uuencode v4l v4l2 vcd vidix vim-syntax vorbis vorbis-psy wav wavpack wifi win32codecs wma wmf wmp x264 x86 xcomposite xext xfce xml xorg xpm xprint xscreensaver xv xvid yahoo zip zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US en_DK en_GB en_AU de de_DE" USERLAND="GNU" VIDEO_CARDS="nvidia nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
and if you install ca-certificates-20080809 does it work ? seems to work fine for me with openssl 0.9.8i ...
Yes, works for me too. Thanks!
thanks for testing ... lets get that version into stable then
