Bug 2203478
| Summary: | openssl s_client tries hashed certificates in wrong directory | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Menšík <pemensik> |
| Component: | openssl | Assignee: | Dmitry Belyavskiy <dbelyavs> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 39 | CC: | crypto-team, dbelyavs, mspacek, mturk, sahana, tm |
| Target Milestone: | --- | Keywords: | Performance |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This bug appears to have been reported against 'rawhide' during the Fedora Linux 39 development cycle. Changing version to 39. |
It seems in default rawhide configuration openssl is attempting to use hashed names from directory, where no hashed names are generated. I expect hashed names are more efficient than single file containing all certificates present. But if ca tooling is preparing that in some directory, I think default configuration should try that directory unless overriden manually. It seems that does not happen now. Tested with: openssl-3.0.8-2.fc39.x86_64 ca-certificates-2023.2.60-2.fc38.noarch Reproducible: Always Steps to Reproduce: 1. strace -o openssl.strace openssl s_client -connect dns.google:853 2. grep /etc/pki openssl.strace Actual Results: openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/pki/tls/ct_log_list.cnf", O_RDONLY) = 3 openat(AT_FDCWD, "/etc/pki/tls/cert.pem", O_RDONLY) = 3 newfstatat(AT_FDCWD, "/etc/pki/tls/certs/c06d5c68.0", 0x7ffc8e6d9230, 0) = -1 ENOENT (No such file or directory) newfstatat(AT_FDCWD, "/etc/pki/tls/certs", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0 openat(AT_FDCWD, "/etc/pki/tls/certs", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 4 Expected Results: hashed certificates should be tried at directory, where some hashed certificates resides. At least on current rawhide /etc/pki/tls/certs/ contains no hashed certificate with similar name. /etc/pki/ca-trust/extracted/pem/directory-hash/ seems to contain entries in similar format, but that directory is not tried according to strace. Noticed this when triaged bug #2196699. # ls -l /etc/pki/tls/certs/ total 0 lrwxrwxrwx. 1 root root 49 Jan 19 19:00 ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem lrwxrwxrwx. 1 root root 55 Jan 19 19:00 ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt # ls /etc/pki/ca-trust/extracted/pem/directory-hash/*.0 | wc -l 282