210693 – dev-libs/openssl-0.9.8g fails to verify certificate - /etc/ssl/certs not searched for CA certs

Bug 210693 - dev-libs/openssl-0.9.8g fails to verify certificate - /etc/ssl/certs not searched for CA certs

Summary: dev-libs/openssl-0.9.8g fails to verify certificate - /etc/ssl/certs not sear...

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Library (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-02-19 12:46 UTC by Andreas K. Hüttel
Modified:	2008-02-19 19:16 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Logs of the SSL handshake with and without -CAfile parameter (bugmail,7.21 KB, text/plain) 2008-02-19 12:48 UTC, Andreas K. Hüttel	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas K. Hüttel archtester

2008-02-19 12:46:18 UTC

When I connect to our https printer server (e.g. with openssl s_client),
the certificate is never verified correctly. When I specify the CA certificate
file manually on the command line OR even just "-CApath /etc/ssl/certs", it works though.

The root certificate in question is installed, and everything looks correct to
me. -> ???

It seems that /etc/ssl/certs is not automatically searched for CA certificates.

Connecting to the same server with e.g. firefox works fine.

Logs of connecting with and without -CAfile will be attached.

================= openssl installation =============================

huettel@bellini /etc/ssl/certs $ openssl version -a
OpenSSL 0.9.8g 19 Oct 2007
built on: Sun Feb 17 01:46:36 CET 2008
platform: linux-elf
options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: i686-pc-linux-gnu-gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN
-DTERMIO -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DSHA1_ASM
-DMD5_ASM -DRMD160_ASM -DAES_ASM -O2 -march=pentium-m -pipe
-Wa,--noexecstack
OPENSSLDIR: "/etc/ssl"

================= CA certificate installation ======================

huettel@bellini /etc/ssl/certs $ openssl x509 -hash -noout -in AddTrust_External_Root.pem
3c58f906
huettel@bellini /etc/ssl/certs $ ls -l 3c58f906.0
lrwxrwxrwx 1 root root 26  3. Feb 20:18 3c58f906.0 -> AddTrust_External_Root.pem
huettel@bellini /etc/ssl/certs $ ls -l AddTrust_External_Root.pem
lrwxrwxrwx 1 root root 61  3. Feb 20:18 AddTrust_External_Root.pem -> /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
huettel@bellini /etc/ssl/certs $ ls -l /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
-rw-r--r-- 1 root root 1523  4. Mär 2007  /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
huettel@bellini /etc/ssl/certs $

Comment 1 Andreas K. Hüttel archtester

2008-02-19 12:48:04 UTC

Created attachment 143959 [details]
Logs of the SSL handshake with and without -CAfile parameter

Comment 2 Andreas K. Hüttel archtester

2008-02-19 13:33:55 UTC

Since there are two open bugs with dev-libs/openssl-0.9.8g and the USE flag sse2 (198914, 150611), I re-emerged without this flag. No changes though.

-> Problem is NOT related to USE-flag sse2.

Comment 3 Doug Goldstein (RETIRED) gentoo-dev

2008-02-19 14:59:08 UTC

You always need to specify the CA path. I'm not seeing a bug. I'm seeing it behave how it's designed...

Comment 4 Andreas K. Hüttel archtester

2008-02-19 19:16:53 UTC

OK... then it's maybe just my limited understanding. (Or missing documentation.)

I'm actually trying to solve a more complex problem involving cups, but thought I had it nailed down to this... Closing the bug then. Thanks a lot.