Bug 216050 - OpenSSL 0.9.8b: "openssl verify -CApath ..." fails
OpenSSL 0.9.8b: "openssl verify -CApath ..." fails
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: openssl (Show other bugs)
6
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-16 18:28 EST by Keith Thompson
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-12-04 03:01:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
verification-test shell script (3.54 KB, text/plain)
2006-11-16 18:28 EST, Keith Thompson
no flags Details
Self-signed cert that fails to verify (830 bytes, text/plain)
2006-11-30 14:49 EST, Sushma
no flags Details

  None (edit)
Description Keith Thompson 2006-11-16 18:28:01 EST
Description of problem:
With a particular pair of certificates (included in the attached test
script), "openssl verify" with the "-CApath" option does not work, but
"openssl verify" with the "-CAfile" option does work.

The current installed version of OpenSSL is 0.9.8b.  A separate installation
of that same version of OpenSSL, compiled from source, does not exhibit the
problem.  The same and other versions of OpenSSL on other systems (Linux,
Solaris, AIX) also do not exhibit the problem.

Version-Release number of selected component (if applicable):
openssl-0.9.8b-8

How reproducible:
Execute the attached shell script.

Steps to Reproduce:
1. ./verification-test
  
Actual results:
% mkdir /tmp/verification-test-18792
% type openssl
openssl is /usr/bin/openssl
% openssl version
OpenSSL 0.9.8b 04 May 2006
% openssl verify -CAfile /tmp/verification-test-18792/d1b603c3.0
/tmp/verification-test-18792/1c3f2ca8.0
/tmp/verification-test-18792/1c3f2ca8.0: OK
% openssl verify -CApath /tmp/verification-test-18792
/tmp/verification-test-18792/1c3f2ca8.0
/tmp/verification-test-18792/1c3f2ca8.0: /DC=org/DC=DOEGrids/OU=Certificate
Authorities/CN=DOEGrids CA 1
error 20 at 0 depth lookup:unable to get local issuer certificate
% rm -rf /tmp/verification-test-18792

(The directory name will vary from one run to another.)

Expected results:
% mkdir /tmp/verification-test-18792
% type openssl
openssl is /home/kst/local/apps/openssl-0.9.8b/bin/openssl
% openssl version
OpenSSL 0.9.8b 04 May 2006
% openssl verify -CAfile /tmp/verification-test-18792/d1b603c3.0
/tmp/verification-test-18792/1c3f2ca8.0
/tmp/verification-test-18792/1c3f2ca8.0: OK
% openssl verify -CApath /tmp/verification-test-18792
/tmp/verification-test-18792/1c3f2ca8.0
/tmp/verification-test-18792/1c3f2ca8.0: OK
% rm -rf /tmp/verification-test-18792


Additional info:
Comment 1 Keith Thompson 2006-11-16 18:28:01 EST
Created attachment 141426 [details]
verification-test shell script
Comment 2 Fedora Update System 2006-11-27 10:46:20 EST
openssl-0.9.8b-8.0.1.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 3 Sushma 2006-11-30 12:54:36 EST
A similar error is seen while running the make tests during the OpenSSL source 
build:

To reproduce: 

cd to <openssl source dir>

[openssl-0.9.8b]# apps/openssl verify -CApath certs -verbose certs/vsign1.pem 
certs/vsign1.pem

Expected result:
[openssl-0.9.8b]# apps/openssl verify -CApath certs -verbose certs/vsign1.pem 
certs/vsign1.pem
certs/vsign1.pem: OK

Actual result:
[openssl-0.9.8b]# apps/openssl verify -CApath certs -verbose certs/vsign1.pem 
certs/vsign1.pem
: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
error 18 at 0 depth lookup:self signed certificate
OK

This problem is not seen on the same version built from openssl.org source.
Comment 4 Tomas Mraz 2006-11-30 13:03:30 EST
Which exact openssl package release are you testing with?
Comment 5 Sushma 2006-11-30 13:14:21 EST
I'm testing with openssl-0.9.8b-8.0.1.fc6 package mentioned in comment #2:

[root@abruzzo openssl-0.9.8b]# openssl version -a
OpenSSL 0.9.8b 04 May 2006
built on: Tue Nov 28 01:37:59 PST 2006
platform: linux-ia64
options:  bn(64,64) md2(int) rc4(ptr,int) des(idx,cisc,4,long) blowfish(idx) 
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -
DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -I/usr/kerberos/include -DL_ENDIAN -
DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-
protector --param=ssp-buffer-size=4 -Wa,--noexecstack -DSHA1_ASM -DSHA256_ASM -
DSHA512_ASM -DAES_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  dynamic 
Comment 6 Tomas Mraz 2006-11-30 14:00:14 EST
Note that the failure in this case is different and non-fatal as it returns OK.
The reason why it fails on install and rpm rebuild and not when the upstream
source is being rebuilt is that the ca-bundle.crt is consulted in the rpm
rebuild. The same thing affected the original report however the bug is
different in this case.
Comment 7 Sushma 2006-11-30 14:49:26 EST
Created attachment 142512 [details]
Self-signed cert that fails to verify
Comment 8 Sushma 2006-11-30 14:51:19 EST
Thanks. We have a particular set of self-signed certificates that fails to 
verify with the RedHat OpenSSL package 0.9.8b. The same certificates verified 
successfully on RedHat systems with older versions of OpenSSL such as 9.7.a 
and also works fine with source from openssl. I've attached a copy of a self-
signed certificate. 

I could open a separate bug for this issue.

To reproduce:

Copy the self-signed cert to certs dir

apps/openssl verify -CApath certs certs/168d7fa3.0 certs/168d7fa3.0

Expected result:
certs/168d7fa3.0: OK

Actual result:
: /C=US/ST=CA/L=SF/O=OG/OU=OP/CN=SCERT_IN_TS_INVALID_USER
error 18 at 0 depth lookup:self signed certificate
OK

Within our application we see a similar behavior while performing certificate 
based authentication. We see that the first time certain certificates are 
presented they fail to authenticate even though they are present in the 
truststore with the same error as above (error 18). On subsequent attempts 
those certificates authenticate successfully.
Comment 9 Tomas Mraz 2006-11-30 15:13:53 EST
The behaviour in the comment #3 is caused by the following and it is not a bug
but rather a feature of openssl - it finds a certificate with the same
subject/issuer in the shipped ca-bundle.crt. But the certificate is actually not
the same as the vsign1.pem certificate (the serial number is different). Thus it
will print the error which means that the self signed certificate is not trusted
one. The problem is it should consult the CApath directory when this test fails
with the ca-bundle.crt.

Comment 10 Tomas Mraz 2006-11-30 17:46:52 EST
The problem with your certificate is different. It turned out that my previous
fix for the bug was not quite right and I had to remake it. The problem is the
X509_NAME_cmp() function is not transitive in openssl-0.9.8b.
Comment 11 Sushma 2006-12-01 00:39:38 EST
Is the fix to my problem being tracked by Bug# 217969?
Comment 12 Tomas Mraz 2006-12-01 02:40:18 EST
Your problem is exactly what this bug is about. The bug #217969 tracks the same
problem for RHEL5.
Comment 13 Fedora Update System 2006-12-01 11:56:34 EST
openssl-0.9.8b-8.3.fc6 has been pushed for fc6, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 14 Sushma 2006-12-02 00:08:49 EST
It worked, thanks!

Note You need to log in before you can comment on or make changes to this bug.