Bug 208746
Summary: | ssl fails when using certificates with "trust" setting | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dean Mander <knolderpoor> | ||||
Component: | openssl | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED UPSTREAM | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5 | CC: | mishu, prockai, raffin.adrien, tss, wtogami | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2006-10-12 12:52:01 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Dean Mander
2006-10-01 14:30:58 UTC
Unless i am missing something, the responsible code path is this: if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) { i_fatal("Can't load certificate file %s: %s", certfile, ssl_last_error()); } which indicates that it's openssl itself that has problem reading the certificate, not dovecot. I haven't found indication that trusted certs should be handled differently in client code in the openssl manpages, i'm reassigning to openssl, if i was wrong, please bounce this back and hint me on what i should be doing. Thanks. Can you attach such trusted certificate and the appropriate CA certificate to this bug report? Tomas, of course (at least the public part ;-)) first the CA cert, then the user certif. When removing the "trust" word from the user certificate, dovecot works like a charm $ cat CA/cacert.pem -----BEGIN CERTIFICATE----- MIICzzCCAjgCCQDIrVJYy2s4MjANBgkqhkiG9w0BAQUFADCBqzELMAkGA1UEBhMC QkUxEDAOBgNVBAgTB0JlbGdpdW0xETAPBgNVBAcTCEJydXNzZWxzMRcwFQYDVQQK Ew5Lbm9sZGVycG9vciBJVDEfMB0GA1UECxMWQ2VydGlmaWNhdGlvbiBTZXJ2aWNl czEXMBUGA1UEAxMOS25vbGRlcnBvb3IgQ0ExJDAiBgkqhkiG9w0BCQEWFWtub2xk ZXJwb29yQGdtYWlsLmNvbTAeFw0wNjEwMDExMDE0MjlaFw0yNjA5MjYxMDE0Mjla MIGrMQswCQYDVQQGEwJCRTEQMA4GA1UECBMHQmVsZ2l1bTERMA8GA1UEBxMIQnJ1 c3NlbHMxFzAVBgNVBAoTDktub2xkZXJwb29yIElUMR8wHQYDVQQLExZDZXJ0aWZp Y2F0aW9uIFNlcnZpY2VzMRcwFQYDVQQDEw5Lbm9sZGVycG9vciBDQTEkMCIGCSqG SIb3DQEJARYVa25vbGRlcnBvb3JAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQDCFFSztYb5lzpgyU6PqBR+kgAE1IvOGUq+LIIcIXf+ssgYQHuU mwE5idNCZcmJklsnamsLCMX7x79HejZUbYjO0a+FfBnTGLkdBFuQYq7jw8ASY3+Z I/6xLB9ZQVbHlb952CVtGLvXuQMmVPybAIJrp5OyS4wuohV4M5YHCX25jwIDAQAB MA0GCSqGSIb3DQEBBQUAA4GBACP1OOQiu/ZTDbIZIYMZNliLiJ5ofkafI5/nADVN JKsd3i5bg24CZ5ZapeofIypVPZ88SlMoTDSoEXiQJlmaRCVjzgv+5n3phxt19syv gllg0yN5DB8TFya2jizphoWEZlFDLMJB7kdE8pDdAh/JDuJqYVedF4pcsLGudFU9 cT8I -----END CERTIFICATE----- $ cat dovecot/dovecot.pem -----BEGIN TRUSTED CERTIFICATE----- MIICtTCCAh4CCQDzivp2v6uvIDANBgkqhkiG9w0BAQUFADCBqzELMAkGA1UEBhMC QkUxEDAOBgNVBAgTB0JlbGdpdW0xETAPBgNVBAcTCEJydXNzZWxzMRcwFQYDVQQK Ew5Lbm9sZGVycG9vciBJVDEfMB0GA1UECxMWQ2VydGlmaWNhdGlvbiBTZXJ2aWNl czEXMBUGA1UEAxMOS25vbGRlcnBvb3IgQ0ExJDAiBgkqhkiG9w0BCQEWFWtub2xk ZXJwb29yQGdtYWlsLmNvbTAeFw0wNjEwMDExMDIzNTBaFw0xMDEwMDExMDIzNTBa MIGRMQswCQYDVQQGEwJCRTEQMA4GA1UECBMHQmVsZ2l1bTERMA8GA1UEBxMIQnJ1 c3NlbHMxFzAVBgNVBAoTDktub2xkZXJwb29yIElUMR4wHAYDVQQDExVrbm9sZGVy cG9vci5uby1pcC5vcmcxJDAiBgkqhkiG9w0BCQEWFWtub2xkZXJwb29yQGdtYWls LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7nykEO8gBpasurSNxHad Nzs0e024XJKQd4rXdYZfyVeP6HAhimUWWi/NiEzDUpftRS+S6cqmcZb1cmD4IS7f LRpkNdGfLifxvSpUoUJwoMAG2MQxoh8ew3dyHZDAW8SgnDl4KfZK+3HWVGXfThJl CZ2aOTjmJWYu+zXwZxUTK1sCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAVVHFeKRnv 0O0wrR5oma24aZNYZpCwsii72lYhNpF92aXwKbt+8HKwnc2WvzGoaV61y/elP+w1 7Sb+aeBpxvrC9PjHdgpy0OWq4W5Z0dRDkluJmrSZzcgHD9UN9+Oe6aOXtOehHPpX AZw8C98IRkCBOs13Yk0CUsIiOH1pq3OAZjAsMAoGCCsGAQUFBwMBDB5Lbm9sZGVy cG9vciBTZXJ2ZXIgY2VydGlmaWNhdGU= -----END TRUSTED CERTIFICATE----- SSL_CTX_use_certificate_chain_file() calls PEM_read_bio_X509() which doesn't allow reading trusted certificates. The 'openssl s_server' utility doesn't use this function and calls PEM_read_bio_X509_AUX() directly. I don't know whether the SSL_CTX_use_certificate_chain_file() is obsolete or not. Reported as enhancement request on upstream OpenSSL Request tracker (#1411). Created attachment 991290 [details] patch proposition to fix bug 208746 I know that this bug has been closed, and for good reason but using PEM_read_bio_X509_AUX() function allow to fix the bug and validate the trust chain. So its an improvement in functionnality since PEM_read_bio_X509() is ignoring trusted part right ? I would suggest opening a new bug (RFE) against dovecot. |