Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 472584 - dev-libs/openssl - s_client: Verify return code: 20 (unable to get local issuer certificate)
Summary: dev-libs/openssl - s_client: Verify return code: 20 (unable to get local issu...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-07 14:20 UTC by Fabio Coatti
Modified: 2013-10-23 16:10 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fabio Coatti 2013-06-07 14:20:38 UTC
Hi All, 
I'm testing a LDAPS conenction with s_client option and I'm facing a situation that I can't understand.
Basically, with the following command line

openssl s_client -connect my.ldap:636

I get this output:

[...]
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

This would be not so strange, but if I add -CApath /etc/ssl/certs/ all works just fine :
openssl s_client -CApath /etc/ssl/certs/ -connect my.ldap:636

    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


What puzzles me is that, according to the doumentation, /ec/ssl/certs should be the default, at least on gentoo:

cova@calvin ~ $ openssl version -d 
OPENSSLDIR: "/etc/ssl"

So it seems quite strange that it works specifying a supposedly default dir.

This has some side effects, I suspect, because the ldap should be contacted by akonadi to retrieve email address but the operation fails due to the reported ssl error and I can't find a way to fix it.

Any hint? I suppose this can be a bug but I'm not sure of this... and I'm not sure if could be a openssl or gentoo issue or my issue :)

OpenSSL 1.0.1e 11 Feb 2013




Reproducible: Always




calvin ~ # emerge --info
Portage 2.2.0_alpha177 (default/linux/amd64/13.0/desktop/kde, gcc-4.7.3, glibc-2.17, 3.9.4 x86_64)
=================================================================
System uname: Linux-3.9.4-x86_64-Intel-R-_Core-TM-_i5-3427U_CPU_@_1.80GHz-with-gentoo-2.2
KiB Mem:     8096768 total,    180388 free
KiB Swap:    8386556 total,   6975628 free
Timestamp of tree: Fri, 07 Jun 2013 11:45:01 +0000
ld ld di GNU (GNU Binutils) 2.23.1
app-shells/bash:          4.2_p45
dev-java/java-config:     2.2.0
dev-lang/python:          2.7.5, 3.2.5, 3.3.2
dev-util/cmake:           2.8.10.2-r2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.13, 2.69
sys-devel/automake:       1.9.6-r3, 1.11.6, 1.12.6, 1.13.2
sys-devel/binutils:       2.23.1
sys-devel/gcc:            4.7.3
sys-devel/gcc-config:     1.8
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo rion overlay
Installed sets: @kde
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -mtune=native -O2 -pipe "
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/easy-rsa /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -mtune=native -O2 -pipe "
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="it_IT.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/rion /usr/overlay"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext 3dnowprefetch X \ a52 aac aalib acl acpi aim alsa amd64 apng ares asf ati audio audiofile avahi bash-completion berkdb bidi bl bluetooth branding bri bzip2 cairo caps ccdda cdda cdr cjk cli consolekit cracklib crypt cups curl cxx dba dbus declarative device-mapper dga divx divx4linux dparanoia dri dts dv dvb dvd dvdr dvdread eap-sim edl embedded emboss encode ethereal exif expat faad fam fame fbcon ffmpeg fftw firefox flac force-cgi-redirect fortran ftp gallium garmin gd gdbm gif gimp gmedia gmp gnutls gphoto2 gpm gps gsm gtk h264 h323 iconv icq icu idn ifp ilbc imagemagick imap innodb ipod iproute2 ipv6 ithreads jabber jack java javascript joystick jpeg kde kipi kontact kvm lastfm lcms ldap libcaca libnotify libvirtd live lm_sensors lua lvm lxc lzma lzo mad maildir matroska mbox mdnsresponder-compat mhash mime mjpeg mmap mmx mmxext mng modules mozdevelop mozilla mp3 mp4 mpeg msn mtp mudflap multilib mysql ncurses nepomuk network networkmanager new-hpcups nfsv4 njb nls nptl nptlonly nsplugin offensive ofx ogg oggvorbis ogm openal openexr opengl openmp oscar pam pango parted pcap pcre pdf phonon php plasma plotutils png policykit ppds pulseaudio qemu qt3support qt4 readline rtc ruby samba sasl sdl semantic-desktop session sha512 sip slang slp smartcard sndfile snmp sox speex spell srt sse sse2 ssh ssl ssse3 startup-notification svg symlink tcltk tcpd theora threads tiff tk tremor truetype udev udisks unicode upower usb utempter v4l v4l2 vaapi vcd vde vhosts video videos vim-syntax virt-network virtualbox vorbis wav webkit wifi wimax wmf wmp wps wxwidgets wxwindows x264 xanim xattr xcb xcomposite xface xft xine xinerama xml xosd xpm xscreensaver xsl xulrunner xv xvid zlib zpm" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="it en" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="intel v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Fabio Coatti 2013-06-09 10:22:16 UTC
A couple more details:

in /etc/ssl/certs I added the required intermediate certificate, as the chain needs ot.
The root CA certificate was already present in /etc/ssl/certs
Comment 2 MarisN 2013-06-17 07:31:07 UTC
I observed the same issue still with a bit more well known site:
openssl s_client -connect google.com:443
=> Verify return code: 20 (unable to get local issuer certificate)

It seems to be an upstream bug:
http://rt.openssl.org/Ticket/Display.html?id=1623

To verify it, try to run following command:
openssl s_client -connect google.com:443 -CApath garbage
=> Verify return code: 0 (ok)

dev-libs/openssl-1.0.1e-r1
app-misc/ca-certificates-20130119
Comment 3 Albert Holm 2013-09-04 20:11:22 UTC
Upstream has another bug and patch related to this.
http://rt.openssl.org/Ticket/Display.html?id=2387&user=guest&pass=guest
Comment 4 SpanKY gentoo-dev 2013-10-23 16:10:42 UTC
should be all set now in the tree; thanks for the report!

Commit message: Add fix for s_client verify
http://sources.gentoo.org/dev-libs/openssl/files/openssl-1.0.1e-s_client-verify.patch?rev=1.1
http://sources.gentoo.org/dev-libs/openssl/openssl-1.0.1e-r2.ebuild?rev=1.1