340821 – openssl-1.0.0a-r3 does not verify root CAs

Bug 340821 - openssl-1.0.0a-r3 does not verify root CAs

Summary: openssl-1.0.0a-r3 does not verify root CAs

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	x86 Linux

Importance:	High major (vote)
Assignee:	Gentoo Linux bug wranglers

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-10-13 08:45 UTC by Robert Wolf
Modified:	2010-10-13 08:53 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Wolf 2010-10-13 08:45:13 UTC

Hallo,

I have root CAs in /etc/ssl/certs. This path is set in /etc/ssl/openssl.cnf, used by openssl command line tool. After upgrade openssl to version 1.0.0a-r3, openssl s_client and other programs using openssl lib (e.g. wget, alpine) ignores the settings from openssl.cnf and does not verify root CAs. My openssl.cnf is the same as for version 0.9.8.

========================================
[ ca ]
default_ca  = CA_default    # The default ca section
[ CA_default ]
dir   = /etc/ssl    # Where everything is kept
certs   = $dir/certs    # Where the issued certs are kept
========================================

Openssl reads the correct config file (if deleted, then openssl writes error file not found, if I write there some mess, then openssl writes an decoding error).

Could you help me, how to set CApath for command line s_client and for lib (for other programs)? Or is it bug?

Thank you very much for your help.

Regards,

Robert Wolf.

Comment 1 Robert Wolf 2010-10-13 08:53:03 UTC

Sorry, my problem.