Ubuntu

Activity log for bug #335225

Date Who What changed Old value New value Message
2009-02-27 00:50:14 Jeff Wu bug added bug
2009-02-27 00:50:14 Jeff Wu bug added attachment 'testfiles.tgz' (testfiles.tgz)
2009-02-27 01:17:06 Jeff Wu description Binary package hint: openssl Verification fails even if the CAfile contains the CA root certificates chain for the site cert. Steps: I have a CAfile.pem (all these files attached in testfiles.tgz) contains lots of CA root certificates. I run the following command $ apps/openssl verify -CAfile CAfile.pem aol.cert aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com error 20 at 0 depth lookup:unable to get local issuer certificate $ apps/openssl verify -CAfile CAfile.pem akamai.cert akamai.cert: OK Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it to CAfile2.pem $ cat CAfile.pem aolca.pem > CAfile2.pem - Hide quoted text - and run the following commands $ apps/openssl verify -CAfile CAfile2.pem aol.cert aol.cert: OK $ apps/openssl verify -CAfile CAfile2.pem akamai.cert akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net error 20 at 0 depth lookup:unable to get local issuer certificate The verification for aol.cert passes as expected, but failing to verify akamai.cert is unexpected. If I configure/compile openssl with "-d" option, openssl will fail to load the CAfile.pem $ apps/openssl verify -CAfile CAfile.pem akamai.cert Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ElectricFence Exiting: mprotect() failed: Cannot allocate memory This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10 If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/ since openssl will try to load these CA root certificates as last resort.(or try it with strace to make sure openssl is not accessing them) Binary package hint: openssl Verification fails even if the CAfile contains the CA root certificates chain for the site cert. Steps: I have a CAfile.pem (all these files attached in testfiles.tgz) contains lots of CA root certificates. I run the following command $ openssl verify -CAfile CAfile.pem aol.cert aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -CAfile CAfile.pem akamai.cert akamai.cert: OK Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it to CAfile2.pem $ cat CAfile.pem aolca.pem > CAfile2.pem - Hide quoted text - and run the following commands $ openssl verify -CAfile CAfile2.pem aol.cert aol.cert: OK $ openssl verify -CAfile CAfile2.pem akamai.cert akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net error 20 at 0 depth lookup:unable to get local issuer certificate The verification for aol.cert passes as expected, but failing to verify akamai.cert is unexpected. If I configure/compile openssl with "-d" option, openssl will fail to load the CAfile.pem $ openssl verify -CAfile CAfile.pem akamai.cert Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ElectricFence Exiting: mprotect() failed: Cannot allocate memory This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10 If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/ since openssl will try to load these CA root certificates as last resort.(or try it with strace to make sure openssl is not accessing them)
2009-02-27 18:35:56 Jeff Wu description Binary package hint: openssl Verification fails even if the CAfile contains the CA root certificates chain for the site cert. Steps: I have a CAfile.pem (all these files attached in testfiles.tgz) contains lots of CA root certificates. I run the following command $ openssl verify -CAfile CAfile.pem aol.cert aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -CAfile CAfile.pem akamai.cert akamai.cert: OK Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it to CAfile2.pem $ cat CAfile.pem aolca.pem > CAfile2.pem - Hide quoted text - and run the following commands $ openssl verify -CAfile CAfile2.pem aol.cert aol.cert: OK $ openssl verify -CAfile CAfile2.pem akamai.cert akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net error 20 at 0 depth lookup:unable to get local issuer certificate The verification for aol.cert passes as expected, but failing to verify akamai.cert is unexpected. If I configure/compile openssl with "-d" option, openssl will fail to load the CAfile.pem $ openssl verify -CAfile CAfile.pem akamai.cert Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ElectricFence Exiting: mprotect() failed: Cannot allocate memory This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10 If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/ since openssl will try to load these CA root certificates as last resort.(or try it with strace to make sure openssl is not accessing them) Binary package hint: openssl Verification fails even if the CAfile contains the CA root certificates chain for the site cert. Steps: I have a CAfile.pem (all these files attached in testfiles.tgz) contains lots of CA root certificates. I run the following command $ openssl verify -CAfile CAfile.pem aol.cert aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -CAfile CAfile.pem akamai.cert akamai.cert: OK Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it to CAfile2.pem $ cat CAfile.pem aolca.pem > CAfile2.pem and run the following commands $ openssl verify -CAfile CAfile2.pem aol.cert aol.cert: OK $ openssl verify -CAfile CAfile2.pem akamai.cert akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net error 20 at 0 depth lookup:unable to get local issuer certificate The verification for aol.cert passes as expected, but failing to verify akamai.cert is unexpected. If I configure/compile openssl with "-d" option, openssl will fail to load the CAfile.pem $ openssl verify -CAfile CAfile.pem akamai.cert Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ElectricFence Exiting: mprotect() failed: Cannot allocate memory This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10 If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/ since openssl will try to load these CA root certificates as last resort.(or try it with strace to make sure openssl is not accessing them)
2009-02-27 20:15:52 Jeff Wu bug added attachment 'openssl098j.patch' (patch for openssl 0.9.8j)
2009-02-27 20:24:46 Jeff Wu bug added attachment 'ubuntu8.10_openssl098g.patch' (patch for ubuntu 8.10 openssl 0.9.8g)
2012-05-11 10:42:29 Maarten Bezemer openssl (Ubuntu): status New Incomplete
2012-05-11 10:42:31 Maarten Bezemer bug added subscriber Maarten Bezemer