[Bug 854927] Re: c_rehash creating bogus links to ca-certificates.crt
Loïc Minier
lool at dooz.org
Wed Sep 28 13:23:25 UTC 2011
While this wont happen with current ca-certificates, I think we should revert the changes which caused this bug:
in Debian's 20110421 QA upload, a c_rehash call was added to postinst for upgrades from versions <= 20090814+nmu3, this was an attempt to rebuild the symlinks in /etc/ssl/certs, but because update-ca-certificates wasn't removing /etc/ssl/cert/ca-certificates.crt, it did generate one symlink to this file for the first certificate. With the Debian change from openssl 1.0.0e-1 to support multiple certificates in one file, this probably took even worse proportions. However this probably depended on the order in which c_rehash processed files; it just does readdir() and generates links for the first certificate of each .pem and .crt file it finds.
Now in 20110502+nmu1ubuntu1/20110502+nmu1ubuntu2, a call was added to
properly regenerate the links, but kept the plain c_rehash call *after*
it in the postinst, so that it might trigger when upgrading from <=
20090814+nmu3 (so upgrades from natty or lucid will cause this).
Because of the new call I've added in20110502+nmu1ubuntu4 to
regenerates certs when upgrading from <= 20110502+nmu1ubuntu4, this
should be fixed for oneiric users.
Now, what needs to be fixed:
* plain c_rehash is wrong in any case; also an issue in Debian (and the rm needs to be copied there too)
* postinst has tons of update-ca-certificates calls, mine is the strongest one as it affects all updates (from natty); all of these should be dropped after oneiric
Now this could be fixed in oneiric + 1, but it would be clearer to
remove these now to prevent any regression when removing the postinst
snippets (e.g. leaving the plain c_rehash call alone after oneiric would
be wrong).
** Changed in: ca-certificates (Ubuntu Oneiric)
Status: Fix Released => Triaged
** Changed in: ca-certificates (Ubuntu Oneiric)
Milestone: ubuntu-11.10-beta-2 => None
** Changed in: ca-certificates (Ubuntu Oneiric)
Assignee: Steve Langasek (vorlon) => Loïc Minier (lool)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/854927
Title:
c_rehash creating bogus links to ca-certificates.crt
Status in “ca-certificates” package in Ubuntu:
Triaged
Status in “openssl” package in Ubuntu:
Fix Released
Status in “ca-certificates” source package in Oneiric:
Triaged
Status in “openssl” source package in Oneiric:
Fix Released
Status in “ca-certificates” package in Debian:
New
Bug description:
$ wget https://www.google.com
--2011-09-20 18:12:46-- https://www.google.com/
Resolving www.google.com... 209.85.169.105, 209.85.169.106, 209.85.169.147, ...
Connecting to www.google.com|209.85.169.105|:443... connected.
ERROR: cannot verify www.google.com's certificate, issued by `/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA':
Unable to locally verify the issuer's authority.
To connect to www.google.com insecurely, use `--no-check-certificate'.
$ curl -sS https://launchpad.net
curl: (35) error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: openssl 1.0.0e-2ubuntu1
ProcVersionSignature: User Name 3.0.0-11.18-virtual 3.0.4
Uname: Linux 3.0.0-11-virtual i686
ApportVersion: 1.23-0ubuntu1
Architecture: i386
Date: Tue Sep 20 18:11:11 2011
Ec2AMI: ami-00000090
Ec2AMIManifest: FIXME
Ec2AvailabilityZone: nova
Ec2InstanceType: m1.small
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: openssl
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions
More information about the foundations-bugs
mailing list