Bug 450987 - should /etc/pki/tls/certs/ca-bundle.crt not be the default one used?
Summary: should /etc/pki/tls/certs/ca-bundle.crt not be the default one used?
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: openssl
Version: 5.2
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On: 418771
TreeView+ depends on / blocked
Reported: 2008-06-12 04:00 UTC by Fabio Olive Leite
Modified: 2018-10-20 02:51 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-01-20 21:48:10 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0181 0 normal SHIPPED_LIVE openssl bug fix update 2009-01-20 16:05:48 UTC

Description Fabio Olive Leite 2008-06-12 04:00:26 UTC
Cloned for RHEL-5 to attach to an Issue Tracker ticket.

+++ This bug was initially created as a clone of Bug #418771 +++

Description of problem:
it seems that when I use "openssl s_client -connect ..." I need to explicitly
specify "-CAfile /etc/pki/tls/certs/ca-bundle.crt"

I was expecting that one to be used by default, but maybe my expectations are
just wrong

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. use claws-mail
2. get a new certificate from your email server
3. be completely paranoid that a cert that claims to be signed by verisign 
verification with "unable to get local issuer certificate"
4. debug
Actual results:
it turns out that
  openssl s_client -connect mail.kolumbus.fi:993
will fail with the error above, while
  openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect
tells me "Verify return code: 0 (ok)"

Expected results:
I would expect not to have to manually specify the system-wide default
ca-bundle, and it seems claws-email has the same expectations.

Additional info:

-- Additional comment from tmraz@redhat.com on 2007-12-12 14:09 EST --
The openssl s_client case is a bug in openssl - note that openssl s_client
-CApath whatevernonexistent -connect .... will work fine.

But I have looked at the claws-mail sources and this bug doesn't apply there 
it apparently does some certificate chain verification on its own so this bug
should be cloned for claws-mail if you want to have it fixed there too.

-- Additional comment from tmraz@redhat.com on 2007-12-13 12:21 EST --
s_client/s_server will be fixed now. But claws-mail has to be fixed on its 

-- Additional comment from pcfe@redhat.com on 2008-05-16 11:26 EST --
confirm this is fixed in openssl-0.9.8g-6.fc9.i686

Comment 1 RHEL Program Management 2008-06-12 04:05:41 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 6 errata-xmlrpc 2009-01-20 21:48:10 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.