[Bug 396818] Re: openssl s_client behaves strangely without CAPath

Robert Clark 396818 at bugs.launchpad.net
Thu Mar 22 16:12:37 UTC 2012 

openssl s_client is typically used for testing / verify certificates -
as it states in the man pages, this should only be used for testing.

There's no use case that I can see for using s_client without at least
one CA certificate. The default behaviour of openssl in fedora is to use
the system installed CA bundle, which is what any user would expect. At
the very least openssl should warn you that you're attempting to connect
without using any CA files.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/396818

Title:
  openssl s_client behaves strangely without CAPath

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: openssl

  1) lsb_release -rd
  Description:    Ubuntu 8.04.2
  Release:        8.04

  2) apt-cache policy openssl
  openssl:
    Installed: 0.9.8g-4ubuntu3.7
    Candidate: 0.9.8g-4ubuntu3.7
    Version table:
   *** 0.9.8g-4ubuntu3.7 0
          500 http://us.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       0.9.8g-4ubuntu3 0
          500 http://us.archive.ubuntu.com hardy/main Packages

  3) openssl s_client -connect gmail.com:443 command should look into the CA directory to verify the cert of the site.
  4) example output:
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify error:num=20:unable to get local issuer certificate
  verify return:0
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443 -CApath /dev/null
  depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
  verify return:1
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify return:1
  depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
  verify return:1

  
  It looks the openssl does not honor the -CApath parameter and takes the default, but if you dont specify the -CApath it doesnt look the CA directory at all

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions

More information about the foundations-bugs mailing list