[MacPorts] #29970: openssl: default CApath not honored for tools built against openssl

Wed Jun 29 13:33:23 PDT 2011

#29970: openssl: default CApath not honored for tools built against openssl
---------------------------------+------------------------------------------
 Reporter:  dj_mook@…            |       Owner:  mww@…           
     Type:  defect               |      Status:  new             
 Priority:  Normal               |   Milestone:                  
Component:  ports                |     Version:  1.9.2           
 Keywords:                       |        Port:  openssl         
---------------------------------+------------------------------------------
Changes (by macsforever2000@…):

  * owner:  macports-tickets@… => mww@…
  * port:  => openssl

Old description:

> If I install a certificate or certificate bundle to
> /opt/local/etc/openssl/certs and use c_rehash to generate the hashed
> symbolic link, openssl and tools linked against it (ie- wget) do not use
> the certificate.
>
> The only way to get it to see the certificate is to append it to the
> cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in
> that file are honored.
>
> To test this I do the following:
> - rename /opt/local/etc/openssl/cert.pem so it is not interfering with
> the test.
> - install google's cert chain (www.google.com,thawte,versign) to
> /opt/local/etc/openssl/certs/
> - run /opt/local/bin/c_rehash to install the hashed links to the certs
> - run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect
> www.google.com:443 and succeed
> - run wget -O - https://www.google.com and fail with:
> ERROR: cannot verify www.google.com’s certificate, issued by
> “/C=/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA”:
>   Unable to locally verify the issuer’s authority.
> - run lynx https://www.google.com and fail with:
> Making HTTPS connection to encrypted.google.com
> SSL callback:unable to get local issuer certificate, preverify_ok=0,
> ssl_okay=0
> Retrying connection without TLS.
> Looking up encrypted.google.com
> Making HTTPS connection to encrypted.google.com
> SSL callback:unable to get local issuer certificate, preverify_ok=0,
> ssl_okay=0
> Alert!: Unable to make secure connection to remote host.
>
> lynx: Can't access startfile https://www.google.com/
>
> - if the certificates are appended to /opt/local/etc/openssl/cert.pem
> then wget and lynx requests to https://www.google.com work
>
> This issue affects all tools built again openssl.

New description:

 If I install a certificate or certificate bundle to
 /opt/local/etc/openssl/certs and use c_rehash to generate the hashed
 symbolic link, openssl and tools linked against it (ie- wget) do not use
 the certificate.

 The only way to get it to see the certificate is to append it to the
 cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in
 that file are honored.

 To test this I do the following:
  - rename /opt/local/etc/openssl/cert.pem so it is not interfering with
 the test.
  - install google's cert chain (www.google.com,thawte,versign) to
 /opt/local/etc/openssl/certs/
  - run /opt/local/bin/c_rehash to install the hashed links to the certs
  - run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect
 www.google.com:443 and succeed
  - run wget -O - https://www.google.com and fail with:
 {{{
 ERROR: cannot verify www.google.com’s certificate, issued by “/C=/O=Thawte
 Consulting (Pty) Ltd./CN=Thawte SGC CA”:
   Unable to locally verify the issuer’s authority.
 }}}
  - run lynx https://www.google.com and fail with:
 {{{
 Making HTTPS connection to encrypted.google.com
 SSL callback:unable to get local issuer certificate, preverify_ok=0,
 ssl_okay=0
 Retrying connection without TLS.
 Looking up encrypted.google.com
 Making HTTPS connection to encrypted.google.com
 SSL callback:unable to get local issuer certificate, preverify_ok=0,
 ssl_okay=0
 Alert!: Unable to make secure connection to remote host.

 lynx: Can't access startfile https://www.google.com/
 }}}
  - if the certificates are appended to /opt/local/etc/openssl/cert.pem
 then wget and lynx requests to https://www.google.com work

 This issue affects all tools built again openssl.

--

Comment:

 I fixed it for you. In the future, look at WikiFormatting and use the
 Preview button. Also fill in the Port: field and Cc the maintainer as per
 the [http://guide.macports.org/#project.tickets Ticket Guidelines].

-- 
Ticket URL: <https://trac.macports.org/ticket/29970#comment:2>
MacPorts <http://www.macports.org/>
Ports system for Mac OS