Bug 1014534 - Regression brought with openssl
Regression brought with openssl
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-02 05:51 EDT by Philippe Vouters
Modified: 2015-01-12 04:20 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-12 04:20:31 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Philippe Vouters 2013-10-02 05:51:35 EDT
Description of problem:
Regression brought in with openssl

Version-Release number of selected component (if applicable):
OpenSSL 1.0.1e (Fedora 19). Latest was OpenSSL 1.0.1k (Fedora 17)

How reproducible:
Always

Steps to Reproduce:
1. Have one up t date Fedora 19 ou 18 computer
2. GHave one up to date Fedora 17 computer
3. On both yum install/upgrade openssl

Actual results:

openssl 1.0.1k installed on Fedora 17. OpenSSL 1.0.1e installed on Fedora 18/19

Expected results:
openssl version later than or equal to 1.0.1k on Fedora 18/19.

Additional info:
I document on my Web site this command:
# openssl ca -selfsign -cert /etc/ipsec.d/certs/serverCert.pem \
-keyfile /etc/ipsec.d/private/serverKey.pem -keyform PEM \
-out /etc/ipsec.d/cacerts/serverCert.pem

As I do things right the above is documented under OpenSSL Version 1.0.1j on Linux Fedora 17.

Under OpenSSL Version 1.0.1e/Linux Fedora 19, such a command above no longer produces any output file.

Instead I have to now use:
# openssl ca -selfsign -in mycsReq.pem -keyfile mycs.prv -out mycsCACert.pem

So obviously a regression somewhere.

References:
http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven-Part_2.html
http://vouters.dyndns.org/tima/Linux-Libreswan-Shrew-Cisco-IOS-Creating_PKCS12_files_from_IOS_generated_private_key.html
Comment 1 Philippe Vouters 2013-10-02 06:02:12 EDT
Here is the evidence of the problem under Fedora 19/OpenSSL V1.0.1e
[philippe@victor Miroslav]$ sudo openssl ca -selfsign -cert serverCert.pem -keyfile serverKey.pem -keyform PEM -out serverCaCert.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for serverKey.pem:
[philippe@victor Miroslav]$ ls serverCaCert.pem                                 ls: cannot access serverCaCert.pem: No such file or directory
Comment 2 Tomas Mraz 2013-10-03 10:44:37 EDT
I can't see how this could ever work. And in your instructions on the dyndns page I am really confused why are you doing this.
The selfsigned certificate to be signed by CA should be specified by -ss_cert and not -cert. The -cert specifies the certificate of the CA.
Comment 3 Philippe Vouters 2013-10-03 11:24:32 EDT
The truth with the

# openssl ca -selfsign -cert /etc/ipsec.d/certs/serverCert.pem \
-keyfile /etc/ipsec.d/private/serverKey.pem -keyform PEM \
-out /etc/ipsec.d/cacerts/serverCert.pem

command I document under Fedora 17 is that I have been able to produce the PKCS12 file (aka .p12) using the command:

# openssl pkcs12 -export -certfile /etc/ipsec.d/cacerts/caCert.pem \
-inkey /etc/ipsec.d/private/serverKey.pem \
-in /etc/ipsec.d/cacerts/serverCert.pem -out server.p12
Enter pass phrase for etc/ipsec.d/private/serverKey.pem:
Enter Export Password:
Verifying - Enter Export Password:

So exactly using the first command output file (aka /etc/ipsec.d/cacerts/serverCert.pem) and I still can use this resultant .p12 file for my Shrew/Libreswan tests with Mutual RSA authentication. This should last until the
expiration date of the CA certificate.

This Fedora 17 command no longer producing any output file under openssl 1.0.1e unlike it did under openssl 1.0.1j, the command I have to now document is

# openssl ca -selfsign -in serverReq.pem -keyfile mycs.prv -out serverCACert.pem

which produces such a file content:

[philippe@victor Miroslav]$ cat serverCACert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e3:12:b2:93:0f:0d:5b:48
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=fr, ST=France, O=Vouters Illimited, CN=vouters.dyndns.org/emailAddress=Philippe.Vouters@laposte.net
        Validity
            Not Before: Oct  3 11:56:47 2013 GMT
            Not After : Oct  3 11:56:47 2014 GMT
        Subject: C=fr, ST=France, O=Vouters Illimited, CN=vouters.dyndns.org/emailAddress=Philippe.Vouters@laposte.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d5:94:74:28:0b:05:2e:37:b1:65:cf:1f:27:2d:
                    46:8b:99:10:a4:1c:e1:6a:d6:a7:84:b3:6a:c6:88:
                    85:e9:0a:7a:69:cd:05:95:3c:ac:1a:c9:5c:1e:0b:
                    55:f7:32:b9:a0:43:9b:48:1b:a7:2b:9e:5d:ee:6d:
                    a1:b5:f5:36:bd:93:b6:ad:6b:c4:ef:1a:02:20:21:
                    5f:c6:0e:d8:18:5f:02:58:56:51:d0:71:7f:b1:da:
                    53:13:62:94:99:ad:7b:ed:b9:39:05:83:d6:54:3e:
                    7e:95:a7:94:af:28:36:62:ae:43:87:3a:a6:12:3c:
                    1a:43:b8:4d:1c:54:04:c4:cb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B9:CC:E4:26:16:EB:64:BE:DF:69:7E:40:2F:D4:02:5A:6B:F3:9E:4D
            X509v3 Authority Key Identifier: 
                keyid:B9:CC:E4:26:16:EB:64:BE:DF:69:7E:40:2F:D4:02:5A:6B:F3:9E:4D

    Signature Algorithm: sha1WithRSAEncryption
         62:17:37:4d:0e:86:5b:13:dc:54:ce:81:c0:d8:5c:36:dc:0f:
         27:9a:65:76:4c:8a:34:6c:d1:b5:35:e0:7d:af:25:ea:66:6f:
         32:40:da:a2:98:62:37:db:4c:fe:f1:3c:4f:b9:7b:a8:16:6a:
         c0:e7:fc:cf:f8:e2:40:60:44:21:7e:ba:ed:3f:7f:72:6f:af:
         8b:ee:42:50:09:d9:b8:dc:2c:d6:82:ef:7c:d6:0e:3e:cf:7d:
         cd:2d:c6:0e:0d:f3:79:bb:45:38:b1:12:20:fd:a2:b0:36:f4:
         2c:d0:85:90:3a:01:06:a5:cd:b8:b6:48:76:bd:4d:41:21:92:
         6e:75
-----BEGIN CERTIFICATE-----
MIIDAzCCAmygAwIBAgIJAOMSspMPDVtIMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
VQQGEwJmcjEPMA0GA1UECAwGRnJhbmNlMRowGAYDVQQKDBFWb3V0ZXJzIElsbGlt
aXRlZDEbMBkGA1UEAwwSdm91dGVycy5keW5kbnMub3JnMSswKQYJKoZIhvcNAQkB
FhxQaGlsaXBwZS5Wb3V0ZXJzQGxhcG9zdGUubmV0MB4XDTEzMTAwMzExNTY0N1oX
DTE0MTAwMzExNTY0N1owgYQxCzAJBgNVBAYTAmZyMQ8wDQYDVQQIDAZGcmFuY2Ux
GjAYBgNVBAoMEVZvdXRlcnMgSWxsaW1pdGVkMRswGQYDVQQDDBJ2b3V0ZXJzLmR5
bmRucy5vcmcxKzApBgkqhkiG9w0BCQEWHFBoaWxpcHBlLlZvdXRlcnNAbGFwb3N0
ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWUdCgLBS43sWXPHyct
RouZEKQc4WrWp4SzasaIhekKemnNBZU8rBrJXB4LVfcyuaBDm0gbpyueXe5tobX1
Nr2Ttq1rxO8aAiAhX8YO2BhfAlhWUdBxf7HaUxNilJmte+25OQWD1lQ+fpWnlK8o
NmKuQ4c6phI8GkO4TRxUBMTLAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4
QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS5
zOQmFutkvt9pfkAv1AJaa/OeTTAfBgNVHSMEGDAWgBS5zOQmFutkvt9pfkAv1AJa
a/OeTTANBgkqhkiG9w0BAQUFAAOBgQBiFzdNDoZbE9xUzoHA2Fw23A8nmmV2TIo0
bNG1NeB9ryXqZm8yQNqimGI320z+8TxPuXuoFmrA5/zP+OJAYEQhfrrtP39yb6+L
7kJQCdm43CzWgu981g4+z33NLcYODfN5u0U4sRIg/aKwNvQs0IWQOgEGpc24tkh2
vU1BIZJudQ==
-----END CERTIFICATE-----

which also looks like a perfect signed certiificate. Such signed certificates
looks quite ideal as inputs for generating PKCS12 formatted files.

Yours truly,
Philippe Vouters (Fontainebleau/France)
Comment 4 Michael J Gruber 2013-10-22 03:25:24 EDT
Philippe, would you mind double checking your openssl versions?

It should be 1.0.0k on F17 (not 1.0.1k).

F17 should not have a higher version than F18 (than F19...).

Differences between 1.0.0 and 1.0.1 are unfortunate but unavoidable. If the version ordering is OK I would suggest closing this bug as invalid (OP mixed up version numbers).
Comment 5 Philippe Vouters 2013-10-22 06:29:05 EDT
Last OpenSSL RPM for Fedora 17

http://rpm.pbone.net/index.php3/stat/4/idpl/20317808/dir/fedora_17/com/openssl-1.0.0k-1.fc17.i686.rpm.html

Last OpenSSL RPM for Fedora 19
http://rpm.pbone.net/index.php3/stat/4/idpl/20602625/dir/fedora_19/com/openssl-1.0.1e-4.fc19.i686.rpm.html

The OpenSSL RPMs installed on my computer now running Fedora 19 (keeps yum updated):

[philippe@victor ~]$ rpm -qa | grep openssl
xmlsec1-openssl-1.2.18-4.fc19.i686
openssl-libs-1.0.1e-28.fc19.i686
xmlsec1-openssl-devel-1.2.18-4.fc19.i686
openssl-1.0.1e-28.fc19.i686
openssl-devel-1.0.1e-28.fc19.i686
[philippe@victor ~]$ 

Yours truly,
Philippe
Comment 6 Philippe Vouters 2013-10-22 06:42:26 EDT
I messed up myself with the last OpenSSL digit on Fedora 17. At http://vouters.dyndns.org/tima/Linux-Shrew-VPN-Client-Setting_an_Intranet_VPN_with_Windows_Seven-Part_2.html I do document OpenSSL Version 1.0.0j for Fedora 17. Deeply sorry about this.

However why this command I document for OpenSSL Version 1.0.0j:
# openssl ca -selfsign -cert /etc/ipsec.d/certs/serverCert.pem \
-keyfile /etc/ipsec.d/private/serverKey.pem -keyform PEM \
-out /etc/ipsec.d/cacerts/serverCert.pem
has become invalid under OpenSSL Version 1.0.1e (i.e.: /etc/ipsec.d/cacerts/serverCert.pem has become empty) ?

Why this has to now read:
# openssl ca -selfsign -in mycsReq.pem -keyfile mycs.prv -out mycsCACert.pem
????

Yours ruly,
Philippe
Comment 7 Fedora End Of Life 2015-01-09 15:04:48 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Note You need to log in before you can comment on or make changes to this bug.