Ubuntu
openssl package

"openssl verify -CAfile mutil_ca.pem site.cert" fails even if mutil_ca.pem contains the chain for site.cert

Bug #335225 reported by Jeff Wu on 2009-02-27

Affects		Status	Importance	Assigned to	Milestone
	openssl (Ubuntu)	Won't Fix	Undecided	Unassigned

Bug Description

Binary package hint: openssl

Verification fails even if the CAfile contains the CA root certificates chain
for the site cert.

Steps:

I have a CAfile.pem (all these files attached in testfiles.tgz)
contains lots of CA root certificates.
I run the following command

$ openssl verify -CAfile CAfile.pem aol.cert
aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com
error 20 at 0 depth lookup:unable to get local issuer certificate

$ openssl verify -CAfile CAfile.pem akamai.cert
akamai.cert: OK

Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
to CAfile2.pem
$ cat CAfile.pem aolca.pem > CAfile2.pem

and run the following commands

$ openssl verify -CAfile CAfile2.pem aol.cert
aol.cert: OK

$ openssl verify -CAfile CAfile2.pem akamai.cert
akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
error 20 at 0 depth lookup:unable to get local issuer certificate

The verification for aol.cert passes as expected, but failing to verify
akamai.cert is unexpected.

If I configure/compile openssl with "-d" option, openssl will fail to load the
CAfile.pem

$ openssl verify -CAfile CAfile.pem akamai.cert

ElectricFence Exiting: mprotect() failed: Cannot allocate memory

This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
since openssl will try to load these CA root certificates as last
resort.(or try it with strace to make sure openssl is not accessing them)

See original description

Revision history for this message

Jeff Wu (jeffwu75) wrote on 2009-02-27:

testfiles.tgz Edit (220.0 KiB, application/x-tar)

Jeff Wu (jeffwu75) on 2009-02-27

description:

updated

Jeff Wu (jeffwu75) on 2009-02-27

description:

updated

Revision history for this message

Jeff Wu (jeffwu75) wrote on 2009-02-27:

patch for openssl 0.9.8j Edit (2.8 KiB, text/plain)

patch for openssl 0.9.8j attached
will create a patch for ubuntu 8.10 openssl 0.9.8g later
this issue also exists in Debian

Revision history for this message

Jeff Wu (jeffwu75) wrote on 2009-02-27:

patch for ubuntu 8.10 openssl 0.9.8g Edit (2.0 KiB, text/plain)

patch for ubuntu 8.10 openssl 0.9.8g attached

Revision history for this message

Jeff Wu (jeffwu75) wrote on 2009-02-27:

see also bug #1851 ( http://rt.openssl.org/Ticket/Display.html?id=1851 )

http://rt.openssl.org
user/pass=guest/guest

Revision history for this message

Maarten Bezemer (veger) wrote on 2012-05-11:

Thank you for taking the time to report this bug and helping to make Ubuntu better. We are sorry that we do not always have the capacity to look at all reported bugs in a timely manner. There have been many changes in Ubuntu since that time you reported the bug and your problem may have been fixed with some of the updates. It would help us a lot if you could test it on a currently supported Ubuntu version. When you test it and it is still an issue, kindly upload the updated logs by running apport-collect 335225 and any other logs that are relevant for this particular issue.

Changed in openssl (Ubuntu):
status:	New → Incomplete

Adrien Nader (adrien) on 2023-05-11

Changed in openssl (Ubuntu):
status:	Incomplete → New
status:	New → Incomplete

Revision history for this message

Adrien Nader (adrien) wrote on 2023-07-17:

I'm going to mark this bug as Won't Fix because we don't have a confirmation and I can't tell if this was actually merged and/or fixed in a new openssl version even though both seem likely.