Bug 208746 - ssl fails when using certificates with "trust" setting
ssl fails when using certificates with "trust" setting
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
5
All Linux
medium Severity low
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-01 10:30 EDT by Dean Mander
Modified: 2015-02-16 06:43 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-12 08:52:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch proposition to fix bug 208746 (2.12 KB, patch)
2015-02-13 05:19 EST, Adrien RAFFIN-CABOISSE
no flags Details | Diff

  None (edit)
Description Dean Mander 2006-10-01 10:30:58 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20060913 Fedora/1.5.0.7-1.fc5 Firefox/1.5.0.7 pango-text

Description of problem:
When using certificates with a "trust" setting, the daemon fails to startup with next error in /var/log/maillog:

dovecot: child 32245 (login) returned error 89
dovecot: Login process died too early - shutting down
dovecot: imap-login: Can't load certificate file /etc/pki/dovecot/certs/dovecot.pem: error:0906D06C:PEM routines:PEM_read_bio:no start line

The cause is that a certificate with a "trust" setting has a different first line of file:
no trust setting: "-----BEGIN CERTIFICATE-----"
trust settings: "-----BEGIN TRUSTED CERTIFICATE-----"
(see man openssl x509)

dovecot doesn't seem to like trusted certifs.


Version-Release number of selected component (if applicable):


How reproducible:
Always


Steps to Reproduce:
1. create a certificate with openssl
2. add a trust setting ( openssl x509 -in server.pem -setalias "server certificate" -addtrust serverAuth -out server.pem )
3. setup dovecot to use this certificate

Actual Results:
no startup and error in /var/log/maillog

Expected Results:


Additional info:
workaround: remove the "TRUSTED" start- and endline from your certificate
Comment 1 Petr Rockai 2006-10-11 12:39:46 EDT
Unless i am missing something, the responsible code path is this:
        if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
                i_fatal("Can't load certificate file %s: %s",
                        certfile, ssl_last_error());
        }

which indicates that it's openssl itself that has problem reading the 
certificate, not dovecot. I haven't found indication that trusted certs should 
be handled differently in client code in the openssl manpages, i'm reassigning 
to openssl, if i was wrong, please bounce this back and hint me on what i 
should be doing. Thanks.
Comment 2 Tomas Mraz 2006-10-11 13:48:38 EDT
Can you attach such trusted certificate and the appropriate CA certificate to
this bug report?
Comment 3 Dean Mander 2006-10-11 14:34:15 EDT
Tomas,
of course (at least the public part ;-))

first the CA cert, then the user certif.
When removing the "trust" word from the user certificate, dovecot works like a charm

$ cat CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIICzzCCAjgCCQDIrVJYy2s4MjANBgkqhkiG9w0BAQUFADCBqzELMAkGA1UEBhMC
QkUxEDAOBgNVBAgTB0JlbGdpdW0xETAPBgNVBAcTCEJydXNzZWxzMRcwFQYDVQQK
Ew5Lbm9sZGVycG9vciBJVDEfMB0GA1UECxMWQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
czEXMBUGA1UEAxMOS25vbGRlcnBvb3IgQ0ExJDAiBgkqhkiG9w0BCQEWFWtub2xk
ZXJwb29yQGdtYWlsLmNvbTAeFw0wNjEwMDExMDE0MjlaFw0yNjA5MjYxMDE0Mjla
MIGrMQswCQYDVQQGEwJCRTEQMA4GA1UECBMHQmVsZ2l1bTERMA8GA1UEBxMIQnJ1
c3NlbHMxFzAVBgNVBAoTDktub2xkZXJwb29yIElUMR8wHQYDVQQLExZDZXJ0aWZp
Y2F0aW9uIFNlcnZpY2VzMRcwFQYDVQQDEw5Lbm9sZGVycG9vciBDQTEkMCIGCSqG
SIb3DQEJARYVa25vbGRlcnBvb3JAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDCFFSztYb5lzpgyU6PqBR+kgAE1IvOGUq+LIIcIXf+ssgYQHuU
mwE5idNCZcmJklsnamsLCMX7x79HejZUbYjO0a+FfBnTGLkdBFuQYq7jw8ASY3+Z
I/6xLB9ZQVbHlb952CVtGLvXuQMmVPybAIJrp5OyS4wuohV4M5YHCX25jwIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBACP1OOQiu/ZTDbIZIYMZNliLiJ5ofkafI5/nADVN
JKsd3i5bg24CZ5ZapeofIypVPZ88SlMoTDSoEXiQJlmaRCVjzgv+5n3phxt19syv
gllg0yN5DB8TFya2jizphoWEZlFDLMJB7kdE8pDdAh/JDuJqYVedF4pcsLGudFU9
cT8I
-----END CERTIFICATE-----

$ cat dovecot/dovecot.pem
-----BEGIN TRUSTED CERTIFICATE-----
MIICtTCCAh4CCQDzivp2v6uvIDANBgkqhkiG9w0BAQUFADCBqzELMAkGA1UEBhMC
QkUxEDAOBgNVBAgTB0JlbGdpdW0xETAPBgNVBAcTCEJydXNzZWxzMRcwFQYDVQQK
Ew5Lbm9sZGVycG9vciBJVDEfMB0GA1UECxMWQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
czEXMBUGA1UEAxMOS25vbGRlcnBvb3IgQ0ExJDAiBgkqhkiG9w0BCQEWFWtub2xk
ZXJwb29yQGdtYWlsLmNvbTAeFw0wNjEwMDExMDIzNTBaFw0xMDEwMDExMDIzNTBa
MIGRMQswCQYDVQQGEwJCRTEQMA4GA1UECBMHQmVsZ2l1bTERMA8GA1UEBxMIQnJ1
c3NlbHMxFzAVBgNVBAoTDktub2xkZXJwb29yIElUMR4wHAYDVQQDExVrbm9sZGVy
cG9vci5uby1pcC5vcmcxJDAiBgkqhkiG9w0BCQEWFWtub2xkZXJwb29yQGdtYWls
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7nykEO8gBpasurSNxHad
Nzs0e024XJKQd4rXdYZfyVeP6HAhimUWWi/NiEzDUpftRS+S6cqmcZb1cmD4IS7f
LRpkNdGfLifxvSpUoUJwoMAG2MQxoh8ew3dyHZDAW8SgnDl4KfZK+3HWVGXfThJl
CZ2aOTjmJWYu+zXwZxUTK1sCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAVVHFeKRnv
0O0wrR5oma24aZNYZpCwsii72lYhNpF92aXwKbt+8HKwnc2WvzGoaV61y/elP+w1
7Sb+aeBpxvrC9PjHdgpy0OWq4W5Z0dRDkluJmrSZzcgHD9UN9+Oe6aOXtOehHPpX
AZw8C98IRkCBOs13Yk0CUsIiOH1pq3OAZjAsMAoGCCsGAQUFBwMBDB5Lbm9sZGVy
cG9vciBTZXJ2ZXIgY2VydGlmaWNhdGU=
-----END TRUSTED CERTIFICATE-----
Comment 4 Tomas Mraz 2006-10-12 08:52:01 EDT
SSL_CTX_use_certificate_chain_file() calls PEM_read_bio_X509() which doesn't
allow reading trusted certificates. The 'openssl s_server' utility doesn't use
this function and calls PEM_read_bio_X509_AUX() directly. I don't know whether
the SSL_CTX_use_certificate_chain_file() is obsolete or not. 

Reported as enhancement request on upstream OpenSSL Request tracker (#1411).
Comment 5 Adrien RAFFIN-CABOISSE 2015-02-13 05:19:37 EST
Created attachment 991290 [details]
patch proposition to fix bug 208746
Comment 6 Adrien RAFFIN-CABOISSE 2015-02-13 05:22:59 EST
I know that this bug has been closed, and for good reason but using PEM_read_bio_X509_AUX() function allow to fix the bug and validate the trust chain.

So its an improvement in functionnality since PEM_read_bio_X509() is ignoring trusted part right ?
Comment 7 Tomas Mraz 2015-02-16 06:43:38 EST
I would suggest opening a new bug (RFE) against dovecot.

Note You need to log in before you can comment on or make changes to this bug.