[Bug 396818] Re: openssl s_client behaves strangely without CAPath
pdf
396818 at bugs.launchpad.net
Tue Nov 12 11:35:40 UTC 2013
Just blew two hours trying to work out why my certs were broken. They
weren't, but OpenSSL on Debian/Ubuntu is extremely stupid.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/396818
Title:
openssl s_client behaves strangely without CAPath
Status in “openssl” package in Ubuntu:
Confirmed
Bug description:
Binary package hint: openssl
1) lsb_release -rd
Description: Ubuntu 8.04.2
Release: 8.04
2) apt-cache policy openssl
openssl:
Installed: 0.9.8g-4ubuntu3.7
Candidate: 0.9.8g-4ubuntu3.7
Version table:
*** 0.9.8g-4ubuntu3.7 0
500 http://us.archive.ubuntu.com hardy-updates/main Packages
500 http://security.ubuntu.com hardy-security/main Packages
100 /var/lib/dpkg/status
0.9.8g-4ubuntu3 0
500 http://us.archive.ubuntu.com hardy/main Packages
3) openssl s_client -connect gmail.com:443 command should look into the CA directory to verify the cert of the site.
4) example output:
Bad behaviour:
openssl s_client -quiet -connect gmail.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Bad behaviour:
openssl s_client -quiet -connect gmail.com:443 -CApath /dev/null
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
verify return:1
It looks the openssl does not honor the -CApath parameter and takes the default, but if you dont specify the -CApath it doesnt look the CA directory at all
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions
More information about the foundations-bugs
mailing list