[Bug 396818] Re: openssl s_client behaves strangely without CAPath

pdf 396818 at bugs.launchpad.net
Tue Nov 12 11:35:40 UTC 2013


Just blew two hours trying to work out why my certs were broken.  They
weren't, but OpenSSL on Debian/Ubuntu is extremely stupid.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/396818

Title:
  openssl s_client behaves strangely without CAPath

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: openssl

  1) lsb_release -rd
  Description:    Ubuntu 8.04.2
  Release:        8.04

  2) apt-cache policy openssl
  openssl:
    Installed: 0.9.8g-4ubuntu3.7
    Candidate: 0.9.8g-4ubuntu3.7
    Version table:
   *** 0.9.8g-4ubuntu3.7 0
          500 http://us.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       0.9.8g-4ubuntu3 0
          500 http://us.archive.ubuntu.com hardy/main Packages

  3) openssl s_client -connect gmail.com:443 command should look into the CA directory to verify the cert of the site.
  4) example output:
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify error:num=20:unable to get local issuer certificate
  verify return:0
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443 -CApath /dev/null
  depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
  verify return:1
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify return:1
  depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
  verify return:1

  
  It looks the openssl does not honor the -CApath parameter and takes the default, but if you dont specify the -CApath it doesnt look the CA directory at all

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions



More information about the foundations-bugs mailing list