[MacPorts] #29970: openssl: default CApath not honored for tools built against openssl

Wed Jun 29 11:38:41 PDT 2011

#29970: openssl: default CApath not honored for tools built against openssl
---------------------------------+------------------------------------------
 Reporter:  dj_mook@…            |       Owner:  macports-tickets@…                   
     Type:  defect               |      Status:  new                                  
 Priority:  Normal               |   Milestone:                                       
Component:  ports                |     Version:  1.9.2                                
 Keywords:                       |        Port:                                       
---------------------------------+------------------------------------------
 If I install a certificate or certificate bundle to
 /opt/local/etc/openssl/certs and use c_rehash to generate the hashed
 symbolic link, openssl and tools linked against it (ie- wget) do not use
 the certificate.

 The only way to get it to see the certificate is to append it to the
 cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in
 that file are honored.

 To test this I do the following:
 - rename /opt/local/etc/openssl/cert.pem so it is not interfering with the
 test.
 - install google's cert chain (www.google.com,thawte,versign) to
 /opt/local/etc/openssl/certs/
 - run /opt/local/bin/c_rehash to install the hashed links to the certs
 - run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect
 www.google.com:443 and succeed
 - run wget -O - https://www.google.com and fail with:
 ERROR: cannot verify www.google.com’s certificate, issued by “/C=/O=Thawte
 Consulting (Pty) Ltd./CN=Thawte SGC CA”:
   Unable to locally verify the issuer’s authority.
 - run lynx https://www.google.com and fail with:
 Making HTTPS connection to encrypted.google.com
 SSL callback:unable to get local issuer certificate, preverify_ok=0,
 ssl_okay=0
 Retrying connection without TLS.
 Looking up encrypted.google.com
 Making HTTPS connection to encrypted.google.com
 SSL callback:unable to get local issuer certificate, preverify_ok=0,
 ssl_okay=0
 Alert!: Unable to make secure connection to remote host.

 lynx: Can't access startfile https://www.google.com/

 - if the certificates are appended to /opt/local/etc/openssl/cert.pem then
 wget and lynx requests to https://www.google.com work

 This issue affects all tools built again openssl.

-- 
Ticket URL: <https://trac.macports.org/ticket/29970>
MacPorts <http://www.macports.org/>
Ports system for Mac OS