[MacPorts] #29970: openssl: default CApath not honored for tools built against openssl
MacPorts
noreply at macports.org
Wed Jun 29 13:33:23 PDT 2011
#29970: openssl: default CApath not honored for tools built against openssl
---------------------------------+------------------------------------------
Reporter: dj_mook@… | Owner: mww@…
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 1.9.2
Keywords: | Port: openssl
---------------------------------+------------------------------------------
Changes (by macsforever2000@…):
* owner: macports-tickets@… => mww@…
* port: => openssl
Old description:
> If I install a certificate or certificate bundle to
> /opt/local/etc/openssl/certs and use c_rehash to generate the hashed
> symbolic link, openssl and tools linked against it (ie- wget) do not use
> the certificate.
>
> The only way to get it to see the certificate is to append it to the
> cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in
> that file are honored.
>
> To test this I do the following:
> - rename /opt/local/etc/openssl/cert.pem so it is not interfering with
> the test.
> - install google's cert chain (www.google.com,thawte,versign) to
> /opt/local/etc/openssl/certs/
> - run /opt/local/bin/c_rehash to install the hashed links to the certs
> - run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect
> www.google.com:443 and succeed
> - run wget -O - https://www.google.com and fail with:
> ERROR: cannot verify www.google.com’s certificate, issued by
> “/C=/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA”:
> Unable to locally verify the issuer’s authority.
> - run lynx https://www.google.com and fail with:
> Making HTTPS connection to encrypted.google.com
> SSL callback:unable to get local issuer certificate, preverify_ok=0,
> ssl_okay=0
> Retrying connection without TLS.
> Looking up encrypted.google.com
> Making HTTPS connection to encrypted.google.com
> SSL callback:unable to get local issuer certificate, preverify_ok=0,
> ssl_okay=0
> Alert!: Unable to make secure connection to remote host.
>
> lynx: Can't access startfile https://www.google.com/
>
> - if the certificates are appended to /opt/local/etc/openssl/cert.pem
> then wget and lynx requests to https://www.google.com work
>
> This issue affects all tools built again openssl.
New description:
If I install a certificate or certificate bundle to
/opt/local/etc/openssl/certs and use c_rehash to generate the hashed
symbolic link, openssl and tools linked against it (ie- wget) do not use
the certificate.
The only way to get it to see the certificate is to append it to the
cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in
that file are honored.
To test this I do the following:
- rename /opt/local/etc/openssl/cert.pem so it is not interfering with
the test.
- install google's cert chain (www.google.com,thawte,versign) to
/opt/local/etc/openssl/certs/
- run /opt/local/bin/c_rehash to install the hashed links to the certs
- run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect
www.google.com:443 and succeed
- run wget -O - https://www.google.com and fail with:
{{{
ERROR: cannot verify www.google.com’s certificate, issued by “/C=/O=Thawte
Consulting (Pty) Ltd./CN=Thawte SGC CA”:
Unable to locally verify the issuer’s authority.
}}}
- run lynx https://www.google.com and fail with:
{{{
Making HTTPS connection to encrypted.google.com
SSL callback:unable to get local issuer certificate, preverify_ok=0,
ssl_okay=0
Retrying connection without TLS.
Looking up encrypted.google.com
Making HTTPS connection to encrypted.google.com
SSL callback:unable to get local issuer certificate, preverify_ok=0,
ssl_okay=0
Alert!: Unable to make secure connection to remote host.
lynx: Can't access startfile https://www.google.com/
}}}
- if the certificates are appended to /opt/local/etc/openssl/cert.pem
then wget and lynx requests to https://www.google.com work
This issue affects all tools built again openssl.
--
Comment:
I fixed it for you. In the future, look at WikiFormatting and use the
Preview button. Also fill in the Port: field and Cc the maintainer as per
the [http://guide.macports.org/#project.tickets Ticket Guidelines].
--
Ticket URL: <https://trac.macports.org/ticket/29970#comment:2>
MacPorts <http://www.macports.org/>
Ports system for Mac OS
More information about the macports-tickets
mailing list