Bug 333069

Summary:	dev-libs/openssl-1.0.0a: upgrade sometimes needs to `c_rehash /etc/ssl/certs/`
Product:	Gentoo Linux	Reporter:	SpanKY <vapier>
Component:	[OLD] Core system	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED FIXED
Severity:	normal	CC:	eras, hasufell
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=475352
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	333117

Description SpanKY gentoo-dev

2010-08-16 20:51:54 UTC

with current unstable packages:
dev-libs/openssl-1.0.0a-r1
app-misc/ca-certificates-20090709
net-misc/wget-1.12-r1

the ssl cert on https://blackfin.uclinux.org/ is not recognized.  this is odd because it's in every major browser (firefox/IE/safari/opera) and has been for a very long time.

it also works with current stable packages:
dev-libs/openssl-0.9.8o
app-misc/ca-certificates-20090709
net-misc/wget-1.12

$ wget https://blackfin.uclinux.org/
--2010-08-16 16:52:31--  https://blackfin.uclinux.org/
Resolving blackfin.uclinux.org... 204.50.165.247
Connecting to blackfin.uclinux.org|204.50.165.247|:443... connected.
ERROR: cannot verify blackfin.uclinux.org’s certificate, issued by “/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1”:
  Unable to locally verify the issuer’s authority.
To connect to blackfin.uclinux.org insecurely, use ‘--no-check-certificate’.



Portage 2.2_rc67 (default/linux/amd64/10.0/developer, gcc-4.5.0, glibc-2.12.1-r0, 2.6.34 x86_64)
=================================================================
System uname: Linux-2.6.34-x86_64-AMD_Phenom-tm-_II_X4_945_Processor-with-gentoo-2.0.1
Timestamp of tree: Sat, 14 Aug 2010 07:45:01 +0000
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p7
dev-lang/python:     2.4.6, 2.6.5-r3, 3.1.2-r4
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    2.3
sys-devel/autoconf:  2.13, 2.67
sys-devel/automake:  1.4_p6-r1, 1.5-r1, 1.6.3-r1, 1.7.9-r2, 1.8.5-r4, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.15.92.0.2-r10, 2.16-r1, 2.16.1, 2.16.1-r3, 2.16.90.0.3, 2.16.91.0.1, 2.16.91.0.2, 2.16.91.0.3, 2.16.91.0.4, 2.16.91.0.5, 2.16.91.0.6, 2.16.91.0.7, 2.16.92, 2.16.93, 2.16.94, 2.17-r1, 2.17.50.0.2, 2.17.50.0.3, 2.17.50.0.4, 2.17.50.0.5, 2.17.50.0.6, 2.17.50.0.7, 2.17.50.0.8, 2.17.50.0.9, 2.17.50.0.10, 2.17.50.0.11, 2.17.50.0.12, 2.17.50.0.13, 2.17.50.0.14, 2.17.50.0.15, 2.17.50.0.16, 2.17.50.0.17, 2.17.50.0.18, 2.18-r2, 2.18.50.0.1, 2.18.50.0.2, 2.18.50.0.3, 2.18.50.0.4, 2.18.50.0.5, 2.18.50.0.6, 2.18.50.0.7, 2.18.50.0.8, 2.18.50.0.9, 2.19, 2.19.1-r1, 2.19.50.0.1, 2.19.51.0.1, 2.19.51.0.2, 2.19.51.0.3, 2.19.51.0.4, 2.19.51.0.5, 2.19.51.0.6, 2.19.51.0.10, 2.19.51.0.11, 2.19.51.0.12, 2.19.51.0.14, 2.20, 2.20.1-r1, 2.20.51.0.1, 2.20.51.0.2, 2.20.51.0.3, 2.20.51.0.4, 2.20.51.0.5, 2.20.51.0.6, 2.20.51.0.7, 2.20.51.0.8, 2.20.51.0.9, 2.20.51.0.10, 2.20.51.0.11
sys-devel/gcc:       3.3.5.20050130-r2, 3.3.6-r1, 3.4.3.20050110-r2, 3.4.4-r1, 3.4.5-r1, 3.4.6-r2, 4.0.0, 4.0.1, 4.0.2-r3, 4.0.3, 4.0.4, 4.1.0-r1, 4.1.1-r3, 4.1.2, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4-r1, 4.3.0, 4.3.1-r1, 4.3.2-r4, 4.3.3-r2, 4.3.4, 4.3.5, 4.4.0-r1, 4.4.1, 4.4.2, 4.4.3-r3, 4.4.4-r1, 4.5.0, 4.5.1
sys-devel/gcc-config: 1.5
sys-devel/libtool:   2.2.10
virtual/os-headers:  2.6.34
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=k8 -pipe -g -Wimplicit-function-declaration"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CPPFLAGS="-DCPPFLAGS_TEST"
CXXFLAGS="-O2 -march=k8 -pipe -g"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="assume-digests buildsyspkg ccache collision-protect cvs distlocks fixpackages multilib-strict news noinfo parallel-fetch preserve-libs protect-owned sandbox sfperms sign splitdebug stricter unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF8"
LDFLAGS="-Wl,-O1 -Wl,--hash-style=gnu"
LINGUAS="en en_US en_GB de"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_COMPRESS="xz"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/local/src/gentoo/overlays/vapier/enlightenment"
SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"
USE="3dnow X a52 aac aalib acl acpi adns agg aio alsa amd64 apache2 asf aspell audiofile berkdb bitmap-fonts bzip2 cairo caps cdaudio cddb cdparanoia cdr cli console cracklib crypt css ctype cups curl cvs cxx dba dbus divx4linux dri dts dvb dvd dvdr dvdread emboss encode exif expat extensions fbcon ffmpeg firefox flac flash fluidsynth fortran ftp gcj gd gif glib glitz glut gmp gphoto2 gpm gtk gtk2 htmlhandbook iconv imap imlib ipv6 jbig joystick jpeg jpeg2k kde kpathsea lcms libcaca libedit libnotify lzo lzw mad maildir matroska mikmod mime mjpeg mmx mng modplug modules mp3 mp4 mpeg mplayer mtp mudflap multilib multislot musepack mysql ncurses network nls nptl nptlonly nsplugin nvidia objc objc-gc offensive ogg oggvorbis openal opengl openmp pango pcre pdf perl pic png ppds pppd python qt3support qt4 quicktime readline redland reflection rss samba sdl session smp sndfile snmp speex spell spl sql sqlite sse sse2 ssl startup-notification subtitles subversion svg sysfs syslog tcl tcltk tcpd tga theora threads tiff tk truetype truetype-fonts type1-fonts unicode upnp usb vcd video vnc vorbis wavpack webkit wma wmf x264 xanim xattr xcb xcomposite xine xinerama xinetd xml xml2 xorg xpm xrandr xulrunner xv xvid xvmc zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="canon" ELIBC="glibc" INPUT_DEVICES="mouse keyboard joystick void" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US en_GB de" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia nv ati r128 radeon radeonhd vga sisusb" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CTARGET, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2010-08-16 21:12:54 UTC

Try running "c_rehash /etc/ssl/certs/"

Comment 2 SpanKY gentoo-dev

2010-08-17 01:02:58 UTC

yes, that fixes things

ive never head of that util, it doesnt have a manpage, and it doesnt respond to normal --help options ...

this doesnt modify any files installed by packages into that dir, so i guess we should run that in postinst on $ROOT/etc/ssl/certs/

Comment 3 Samuli Suominen (RETIRED) gentoo-dev

2010-08-17 01:14:07 UTC

postinst sounds like a plan
this would be the fifth time I've seen this problem and everytime running it helped
btw, it's a perl script and perl is in DEPEND of openssl, but not RDEPEND, how does that impact binpkgs?

Comment 4 SpanKY gentoo-dev

2010-08-17 02:00:09 UTC

perl is in DEPEND because of the build system needing perl.  the idea was to avoid runtime deps.

c_rehash looks pretty simple ... should be easy to re-implement in posix shell

Comment 5 SpanKY gentoo-dev

2010-08-17 04:10:09 UTC

ive added an automatic c_rehash to pkg_postinst.  the perl issue we'll clone.

http://sources.gentoo.org/dev-libs/openssl/openssl-1.0.0a-r1.ebuild?r1=1.1&r2=1.2

Comment 6 Eray Aslan gentoo-dev

2010-08-17 14:09:40 UTC

(In reply to comment #5)
> ive added an automatic c_rehash to pkg_postinst.

Hmm, hash functions changed between openssl-0.9.8 and openssl-1.0.0:

From the CHANGES file in the root of the OpenSSL 1.0.0 distribution:
 
   "Enhance the hash format used for certificate directory links. The new
   form uses the canonical encoding (meaning equivalent names will work
   even if they aren't identical) and uses SHA1 instead of MD5. This form
   is incompatible with the older format and as a result c_rehash should
   be used to rebuild symbolic links.
   [Steve Henson]"

So, c_rehash should only be needed once on the upgrade from 0.9.8 to 1.0.0.  Putting it in pkg_postinst seems like an overkill.  Perhaps has_verison && c_rehash in pkg_preinst?

Also, for completeness sake: If we want to be really clever, we should be able to hash two copies of the same set of certificates each with a different version of c_rehash (and corresponding utilities from the appropriate OpenSSL version) and then combine the set of symbolic links into a final directory that should work with either library.

I wouldn't but just as a FYI.

Comment 7 Eray Aslan gentoo-dev

2010-08-17 14:15:03 UTC

(In reply to comment #6)
> Hmm, hash functions changed between openssl-0.9.8 and openssl-1.0.0:

should have read
Hmm, hash functins in c_rehash changed between openssl-0.9.8 and openssl-1.0.0:

Sorry.

Comment 8 SpanKY gentoo-dev

2010-08-19 21:23:30 UTC

i think i'll hold off adding the clever code which doesnt run the c_rehash when necessary to help out all the people who have already installed openssl-1

unless you have a way of checking the files in $ROOT/etc/ssl/certs/ and so we can avoid doing a check of what version of openssl was previously installed ...

Comment 9 Eray Aslan gentoo-dev

2010-08-19 21:51:42 UTC

(In reply to comment #8)
> i think i'll hold off adding the clever code which doesnt run the c_rehash when
> necessary to help out all the people who have already installed openssl-1

Noted.
 
> unless you have a way of checking the files in $ROOT/etc/ssl/certs/ and so we
> can avoid doing a check of what version of openssl was previously installed ...

Nope.  Current practice of c_rehash in pkg_postinst is the simple and foolproof solution afterall.  Thanks for looking into it.

Comment 10 Julian Ospald 2015-02-01 19:26:10 UTC

Apart from the ebuild being very low quality, the handling of certs in app-misc/ca-certificates is not properly done either. All that postinst hackery is bad.

For people who want to understand how openssl figures out about certs, read
https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/

What the ebuild/devs should do is:
* don't use debian hacks
* only install the trusted db bundle (which is currently in a wrong location and as such openssl cannot find it and wants the hash-style directoriy which we generate with c_rehash), but don't build the hash-style directory at all... if users want to handle certs manually, they should use app-crypt/p11-kit which allows to build both the bundle and the hash-style ca-directory. And then all the stuff update-ca-certificates does becomes a sed-one-liner in src_install without any symlinks needed.
* put the building of the trusted db bundle behind a USE flag instead of assuming that people trust all that stuff
* use proper install methods and not cp/mv in src_compile and src_install