Bug 1476032 - Use Of /etc/pki/tls/cert.pem By OpenSSL Is Undocumented In Man Pages.
Use Of /etc/pki/tls/cert.pem By OpenSSL Is Undocumented In Man Pages.
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openssl (Show other bugs)
x86_64 Linux
unspecified Severity low
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2017-07-27 17:54 EDT by Bernie Hoefer
Modified: 2018-03-28 08:55 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Output of "openssl s_client" commands demonstrating the problem. (2.89 KB, text/plain)
2017-07-27 17:55 EDT, Bernie Hoefer
no flags Details

  None (edit)
Description Bernie Hoefer 2017-07-27 17:54:05 EDT
Description of problem:

According to "man s_client" page, the use of the "-verify" option should enable server certificate verification.

I attempted to verify a server's certificate using a CAfile I knew was incorrect, fully expecting the verification to fail.  It did not!  I also attempted the same *without* specifying the "-CAfile" or "-CApath" options.  Again, the server's certificate verified successfully!

I wasted much time trying to figure out why my tests were always verifying the server's certificate successfully, despite what the man page stated.  I ultimately learned that openssl was silently using /etc/pki/tls/cert.pem as a CAfile.  This is not documented in the man pages for s_client, openssl or verify.

Version-Release number of selected component (if applicable):


How reproducible:

See attached text file.

Actual results:

Server's certificate verifies successfully.

Expected results:

Server's certificate should not verify.

Additional info:

The silent use of /etc/pki/tls/cert.pem as a CAfile prohibits one from using OpenSSL to test certificate chains.  Even though I was originally specifying my own CAfile in the "openssl s_client" command, it always verified the server's certificate no matter what -- even when I explicitly used a wrong certificate file in the "-CAfile" option!  That is unexpected and incorrect.

I'm guessing the silent use of the /etc/pki/tls/cert.pem file was done to make openssl more `user friendly`.  I disagree with that, but if that feature is to remain, then the following should happen:

1.  It should be documented in the man pages!

2.  There should be a way to disable it from the command line.

3.  It should automatically be disabled if the user uses the "-CAfile" or "-CApath" options in his/her command.

Thank you.
Comment 2 Bernie Hoefer 2017-07-27 17:55 EDT
Created attachment 1305663 [details]
Output of "openssl s_client" commands demonstrating the problem.

Note You need to log in before you can comment on or make changes to this bug.