2009-02-27 00:50:14 |
Jeff Wu |
bug |
|
|
added bug |
2009-02-27 00:50:14 |
Jeff Wu |
bug |
|
|
added attachment 'testfiles.tgz' (testfiles.tgz) |
2009-02-27 01:17:06 |
Jeff Wu |
description |
Binary package hint: openssl
Verification fails even if the CAfile contains the CA root certificates chain
for the site cert.
Steps:
I have a CAfile.pem (all these files attached in testfiles.tgz)
contains lots of CA root certificates.
I run the following command
$ apps/openssl verify -CAfile CAfile.pem aol.cert
aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com
error 20 at 0 depth lookup:unable to get local issuer certificate
$ apps/openssl verify -CAfile CAfile.pem akamai.cert
akamai.cert: OK
Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
to CAfile2.pem
$ cat CAfile.pem aolca.pem > CAfile2.pem
- Hide quoted text -
and run the following commands
$ apps/openssl verify -CAfile CAfile2.pem aol.cert
aol.cert: OK
$ apps/openssl verify -CAfile CAfile2.pem akamai.cert
akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
error 20 at 0 depth lookup:unable to get local issuer certificate
The verification for aol.cert passes as expected, but failing to verify
akamai.cert is unexpected.
If I configure/compile openssl with "-d" option, openssl will fail to load the
CAfile.pem
$ apps/openssl verify -CAfile CAfile.pem akamai.cert
Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.
ElectricFence Exiting: mprotect() failed: Cannot allocate memory
This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
since openssl will try to load these CA root certificates as last
resort.(or try it with strace to make sure openssl is not accessing them) |
Binary package hint: openssl
Verification fails even if the CAfile contains the CA root certificates chain
for the site cert.
Steps:
I have a CAfile.pem (all these files attached in testfiles.tgz)
contains lots of CA root certificates.
I run the following command
$ openssl verify -CAfile CAfile.pem aol.cert
aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com
error 20 at 0 depth lookup:unable to get local issuer certificate
$ openssl verify -CAfile CAfile.pem akamai.cert
akamai.cert: OK
Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
to CAfile2.pem
$ cat CAfile.pem aolca.pem > CAfile2.pem
- Hide quoted text -
and run the following commands
$ openssl verify -CAfile CAfile2.pem aol.cert
aol.cert: OK
$ openssl verify -CAfile CAfile2.pem akamai.cert
akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
error 20 at 0 depth lookup:unable to get local issuer certificate
The verification for aol.cert passes as expected, but failing to verify
akamai.cert is unexpected.
If I configure/compile openssl with "-d" option, openssl will fail to load the
CAfile.pem
$ openssl verify -CAfile CAfile.pem akamai.cert
Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.
ElectricFence Exiting: mprotect() failed: Cannot allocate memory
This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
since openssl will try to load these CA root certificates as last
resort.(or try it with strace to make sure openssl is not accessing them) |
|
2009-02-27 18:35:56 |
Jeff Wu |
description |
Binary package hint: openssl
Verification fails even if the CAfile contains the CA root certificates chain
for the site cert.
Steps:
I have a CAfile.pem (all these files attached in testfiles.tgz)
contains lots of CA root certificates.
I run the following command
$ openssl verify -CAfile CAfile.pem aol.cert
aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com
error 20 at 0 depth lookup:unable to get local issuer certificate
$ openssl verify -CAfile CAfile.pem akamai.cert
akamai.cert: OK
Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
to CAfile2.pem
$ cat CAfile.pem aolca.pem > CAfile2.pem
- Hide quoted text -
and run the following commands
$ openssl verify -CAfile CAfile2.pem aol.cert
aol.cert: OK
$ openssl verify -CAfile CAfile2.pem akamai.cert
akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
error 20 at 0 depth lookup:unable to get local issuer certificate
The verification for aol.cert passes as expected, but failing to verify
akamai.cert is unexpected.
If I configure/compile openssl with "-d" option, openssl will fail to load the
CAfile.pem
$ openssl verify -CAfile CAfile.pem akamai.cert
Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.
ElectricFence Exiting: mprotect() failed: Cannot allocate memory
This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
since openssl will try to load these CA root certificates as last
resort.(or try it with strace to make sure openssl is not accessing them) |
Binary package hint: openssl
Verification fails even if the CAfile contains the CA root certificates chain
for the site cert.
Steps:
I have a CAfile.pem (all these files attached in testfiles.tgz)
contains lots of CA root certificates.
I run the following command
$ openssl verify -CAfile CAfile.pem aol.cert
aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com
error 20 at 0 depth lookup:unable to get local issuer certificate
$ openssl verify -CAfile CAfile.pem akamai.cert
akamai.cert: OK
Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
to CAfile2.pem
$ cat CAfile.pem aolca.pem > CAfile2.pem
and run the following commands
$ openssl verify -CAfile CAfile2.pem aol.cert
aol.cert: OK
$ openssl verify -CAfile CAfile2.pem akamai.cert
akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
error 20 at 0 depth lookup:unable to get local issuer certificate
The verification for aol.cert passes as expected, but failing to verify
akamai.cert is unexpected.
If I configure/compile openssl with "-d" option, openssl will fail to load the
CAfile.pem
$ openssl verify -CAfile CAfile.pem akamai.cert
Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.
ElectricFence Exiting: mprotect() failed: Cannot allocate memory
This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
since openssl will try to load these CA root certificates as last
resort.(or try it with strace to make sure openssl is not accessing them) |
|
2009-02-27 20:15:52 |
Jeff Wu |
bug |
|
|
added attachment 'openssl098j.patch' (patch for openssl 0.9.8j) |
2009-02-27 20:24:46 |
Jeff Wu |
bug |
|
|
added attachment 'ubuntu8.10_openssl098g.patch' (patch for ubuntu 8.10 openssl 0.9.8g) |
2012-05-11 10:42:29 |
Maarten Bezemer |
openssl (Ubuntu): status |
New |
Incomplete |
|
2012-05-11 10:42:31 |
Maarten Bezemer |
bug |
|
|
added subscriber Maarten Bezemer |
2023-05-11 14:35:03 |
Adrien Nader |
openssl (Ubuntu): status |
Incomplete |
New |
|
2023-05-11 14:35:05 |
Adrien Nader |
openssl (Ubuntu): status |
New |
Incomplete |
|
2023-07-17 20:13:56 |
Adrien Nader |
openssl (Ubuntu): status |
Incomplete |
Won't Fix |
|