"openssl verify -CAfile mutil_ca.pem site.cert" fails even if mutil_ca.pem contains the chain for site.cert
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssl (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: openssl
Verification fails even if the CAfile contains the CA root certificates chain
for the site cert.
Steps:
I have a CAfile.pem (all these files attached in testfiles.tgz)
contains lots of CA root certificates.
I run the following command
$ openssl verify -CAfile CAfile.pem aol.cert
aol.cert: /C=US/ST=
error 20 at 0 depth lookup:unable to get local issuer certificate
$ openssl verify -CAfile CAfile.pem akamai.cert
akamai.cert: OK
Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
to CAfile2.pem
$ cat CAfile.pem aolca.pem > CAfile2.pem
and run the following commands
$ openssl verify -CAfile CAfile2.pem aol.cert
aol.cert: OK
$ openssl verify -CAfile CAfile2.pem akamai.cert
akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=
error 20 at 0 depth lookup:unable to get local issuer certificate
The verification for aol.cert passes as expected, but failing to verify
akamai.cert is unexpected.
If I configure/compile openssl with "-d" option, openssl will fail to load the
CAfile.pem
$ openssl verify -CAfile CAfile.pem akamai.cert
Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.
ElectricFence Exiting: mprotect() failed: Cannot allocate memory
This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
since openssl will try to load these CA root certificates as last
resort.(or try it with strace to make sure openssl is not accessing them)
description: | updated |
description: | updated |
Changed in openssl (Ubuntu): | |
status: | Incomplete → New |
status: | New → Incomplete |
patch for openssl 0.9.8j attached
will create a patch for ubuntu 8.10 openssl 0.9.8g later
this issue also exists in Debian