Bug 208746

Summary: ssl fails when using certificates with "trust" setting
Product: [Fedora] Fedora Reporter: Dean Mander <knolderpoor>
Component: opensslAssignee: Tomas Mraz <tmraz>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: low Docs Contact:
Priority: medium    
Version: 5CC: mishu, prockai, raffin.adrien, tss, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-12 12:52:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch proposition to fix bug 208746 none

Description Dean Mander 2006-10-01 14:30:58 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20060913 Fedora/1.5.0.7-1.fc5 Firefox/1.5.0.7 pango-text

Description of problem:
When using certificates with a "trust" setting, the daemon fails to startup with next error in /var/log/maillog:

dovecot: child 32245 (login) returned error 89
dovecot: Login process died too early - shutting down
dovecot: imap-login: Can't load certificate file /etc/pki/dovecot/certs/dovecot.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line

The cause is that a certificate with a "trust" setting has a different first line of file:
no trust setting: "-----BEGIN CERTIFICATE-----"
trust settings: "-----BEGIN TRUSTED CERTIFICATE-----"
(see man openssl x509)

dovecot doesn't seem to like trusted certifs.


Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. create a certificate with openssl
2. add a trust setting ( openssl x509 -in server.pem -setalias "server certificate" -addtrust serverAuth -out server.pem )
3. setup dovecot to use this certificate

Actual Results:
no startup and error in /var/log/maillog

Expected Results:


Additional info:
workaround: remove the "TRUSTED" start- and endline from your certificate
Comment 1 Petr Rockai 2006-10-11 16:39:46 UTC 
Unless i am missing something, the responsible code path is this:
        if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
                i_fatal("Can't load certificate file %s: %s",
                        certfile, ssl_last_error());
        }

which indicates that it's openssl itself that has problem reading the 
certificate, not dovecot. I haven't found indication that trusted certs should 
be handled differently in client code in the openssl manpages, i'm reassigning 
to openssl, if i was wrong, please bounce this back and hint me on what i 
should be doing. Thanks.
Comment 2 Tomas Mraz 2006-10-11 17:48:38 UTC 
Can you attach such trusted certificate and the appropriate CA certificate to
this bug report?
Comment 3 Dean Mander 2006-10-11 18:34:15 UTC 
Tomas,
of course (at least the public part ;-))

first the CA cert, then the user certif.
When removing the "trust" word from the user certificate, dovecot works like a charm

$ cat CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIICzzCCAjgCCQDIrVJYy2s4MjANBgkqhkiG9w0BAQUFADCBqzELMAkGA1UEBhMC
QkUxEDAOBgNVBAgTB0JlbGdpdW0xETAPBgNVBAcTCEJydXNzZWxzMRcwFQYDVQQK
Ew5Lbm9sZGVycG9vciBJVDEfMB0GA1UECxMWQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
czEXMBUGA1UEAxMOS25vbGRlcnBvb3IgQ0ExJDAiBgkqhkiG9w0BCQEWFWtub2xk
ZXJwb29yQGdtYWlsLmNvbTAeFw0wNjEwMDExMDE0MjlaFw0yNjA5MjYxMDE0Mjla
MIGrMQswCQYDVQQGEwJCRTEQMA4GA1UECBMHQmVsZ2l1bTERMA8GA1UEBxMIQnJ1
c3NlbHMxFzAVBgNVBAoTDktub2xkZXJwb29yIElUMR8wHQYDVQQLExZDZXJ0aWZp
Y2F0aW9uIFNlcnZpY2VzMRcwFQYDVQQDEw5Lbm9sZGVycG9vciBDQTEkMCIGCSqG
SIb3DQEJARYVa25vbGRlcnBvb3JAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCFFSztYb5lzpgyU6PqBR+kgAE1IvOGUq+LIIcIXf+ssgYQHuU
mwE5idNCZcmJklsnamsLCMX7x79HejZUbYjO0a+FfBnTGLkdBFuQYq7jw8ASY3+Z
I/6xLB9ZQVbHlb952CVtGLvXuQMmVPybAIJrp5OyS4wuohV4M5YHCX25jwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBACP1OOQiu/ZTDbIZIYMZNliLiJ5ofkafI5/nADVN
JKsd3i5bg24CZ5ZapeofIypVPZ88SlMoTDSoEXiQJlmaRCVjzgv+5n3phxt19syv
gllg0yN5DB8TFya2jizphoWEZlFDLMJB7kdE8pDdAh/JDuJqYVedF4pcsLGudFU9
cT8I
-----END CERTIFICATE-----

$ cat dovecot/dovecot.pem
-----BEGIN TRUSTED CERTIFICATE-----
MIICtTCCAh4CCQDzivp2v6uvIDANBgkqhkiG9w0BAQUFADCBqzELMAkGA1UEBhMC
QkUxEDAOBgNVBAgTB0JlbGdpdW0xETAPBgNVBAcTCEJydXNzZWxzMRcwFQYDVQQK
Ew5Lbm9sZGVycG9vciBJVDEfMB0GA1UECxMWQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
czEXMBUGA1UEAxMOS25vbGRlcnBvb3IgQ0ExJDAiBgkqhkiG9w0BCQEWFWtub2xk
ZXJwb29yQGdtYWlsLmNvbTAeFw0wNjEwMDExMDIzNTBaFw0xMDEwMDExMDIzNTBa
MIGRMQswCQYDVQQGEwJCRTEQMA4GA1UECBMHQmVsZ2l1bTERMA8GA1UEBxMIQnJ1
c3NlbHMxFzAVBgNVBAoTDktub2xkZXJwb29yIElUMR4wHAYDVQQDExVrbm9sZGVy
cG9vci5uby1pcC5vcmcxJDAiBgkqhkiG9w0BCQEWFWtub2xkZXJwb29yQGdtYWls
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7nykEO8gBpasurSNxHad
Nzs0e024XJKQd4rXdYZfyVeP6HAhimUWWi/NiEzDUpftRS+S6cqmcZb1cmD4IS7f
LRpkNdGfLifxvSpUoUJwoMAG2MQxoh8ew3dyHZDAW8SgnDl4KfZK+3HWVGXfThJl
CZ2aOTjmJWYu+zXwZxUTK1sCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAVVHFeKRnv
0O0wrR5oma24aZNYZpCwsii72lYhNpF92aXwKbt+8HKwnc2WvzGoaV61y/elP+w1
7Sb+aeBpxvrC9PjHdgpy0OWq4W5Z0dRDkluJmrSZzcgHD9UN9+Oe6aOXtOehHPpX
AZw8C98IRkCBOs13Yk0CUsIiOH1pq3OAZjAsMAoGCCsGAQUFBwMBDB5Lbm9sZGVy
cG9vciBTZXJ2ZXIgY2VydGlmaWNhdGU=
-----END TRUSTED CERTIFICATE-----
Comment 4 Tomas Mraz 2006-10-12 12:52:01 UTC 
SSL_CTX_use_certificate_chain_file() calls PEM_read_bio_X509() which doesn't
allow reading trusted certificates. The 'openssl s_server' utility doesn't use
this function and calls PEM_read_bio_X509_AUX() directly. I don't know whether
the SSL_CTX_use_certificate_chain_file() is obsolete or not. 

Reported as enhancement request on upstream OpenSSL Request tracker (#1411).
Comment 5 Adrien RAFFIN-CABOISSE 2015-02-13 10:19:37 UTC 
Created attachment 991290 [details]
patch proposition to fix bug 208746
Comment 6 Adrien RAFFIN-CABOISSE 2015-02-13 10:22:59 UTC 
I know that this bug has been closed, and for good reason but using PEM_read_bio_X509_AUX() function allow to fix the bug and validate the trust chain.

So its an improvement in functionnality since PEM_read_bio_X509() is ignoring trusted part right ?
Comment 7 Tomas Mraz 2015-02-16 11:43:38 UTC 
I would suggest opening a new bug (RFE) against dovecot.