[Bug 396818] Re: openssl s_client behaves strangely without CAPath
Robert Clark
396818 at bugs.launchpad.net
Thu Mar 22 16:12:37 UTC 2012
openssl s_client is typically used for testing / verify certificates -
as it states in the man pages, this should only be used for testing.
There's no use case that I can see for using s_client without at least
one CA certificate. The default behaviour of openssl in fedora is to use
the system installed CA bundle, which is what any user would expect. At
the very least openssl should warn you that you're attempting to connect
without using any CA files.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/396818
Title:
openssl s_client behaves strangely without CAPath
Status in “openssl” package in Ubuntu:
Confirmed
Bug description:
Binary package hint: openssl
1) lsb_release -rd
Description: Ubuntu 8.04.2
Release: 8.04
2) apt-cache policy openssl
openssl:
Installed: 0.9.8g-4ubuntu3.7
Candidate: 0.9.8g-4ubuntu3.7
Version table:
*** 0.9.8g-4ubuntu3.7 0
500 http://us.archive.ubuntu.com hardy-updates/main Packages
500 http://security.ubuntu.com hardy-security/main Packages
100 /var/lib/dpkg/status
0.9.8g-4ubuntu3 0
500 http://us.archive.ubuntu.com hardy/main Packages
3) openssl s_client -connect gmail.com:443 command should look into the CA directory to verify the cert of the site.
4) example output:
Bad behaviour:
openssl s_client -quiet -connect gmail.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Bad behaviour:
openssl s_client -quiet -connect gmail.com:443 -CApath /dev/null
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
verify return:1
It looks the openssl does not honor the -CApath parameter and takes the default, but if you dont specify the -CApath it doesnt look the CA directory at all
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions
More information about the foundations-bugs
mailing list