[Bug 396818] Re: openssl s_client behaves strangely without CAPath

pdf 396818 at bugs.launchpad.net
Tue Nov 12 11:54:42 UTC 2013


What appears to be happening is that when CApath is set to anything, it
will actually fall back to '${OPENSSLDIR}/certs' and succeed, if the
required cert hashes are not found at the CApath specified on the CLI.
But by default, only the CAfile codepath is activated, and the default
CAfile is set to '${OPENSSLDIR}/cert.pem', which is completely useless.

If the default CAfile was set to '${OPENSSLDIR}/certs/ca-
certificates.crt' at build time, things would work as expected for
pretty much everyone.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/396818

Title:
  openssl s_client behaves strangely without CAPath

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: openssl

  1) lsb_release -rd
  Description:    Ubuntu 8.04.2
  Release:        8.04

  2) apt-cache policy openssl
  openssl:
    Installed: 0.9.8g-4ubuntu3.7
    Candidate: 0.9.8g-4ubuntu3.7
    Version table:
   *** 0.9.8g-4ubuntu3.7 0
          500 http://us.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       0.9.8g-4ubuntu3 0
          500 http://us.archive.ubuntu.com hardy/main Packages

  3) openssl s_client -connect gmail.com:443 command should look into the CA directory to verify the cert of the site.
  4) example output:
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify error:num=20:unable to get local issuer certificate
  verify return:0
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443 -CApath /dev/null
  depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
  verify return:1
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify return:1
  depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
  verify return:1

  
  It looks the openssl does not honor the -CApath parameter and takes the default, but if you dont specify the -CApath it doesnt look the CA directory at all

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions



More information about the foundations-bugs mailing list