[Pkg-openssl-devel] Bug#210757: Fixed in OpenSSL > 1.0.0?

David Maus dmaus at ictsoc.de
Sun Apr 17 10:16:15 UTC 2011 

Hi,

Not sure but this problem might have been fixed in OpenSSL 1.0.0.

The CHANGES file of OpenSSL reads:

  *) Overhaul of by_dir code. Add support for dynamic loading of CRLs so
     new CRLs added to a directory can be used. New command line option
     -verify_return_error to s_client and s_server. This causes real errors
     to be returned by the verify callback instead of carrying on no matter
     what. This reflects the way a "real world" verify callback would behave.
     [Steve Henson]

After openssl was updated from 0.9.8 to 1.0.0d on Debian Testing a
connection to a server with -verifiy 0 fails:

dmaus at x60s ~/downloads/openssl-1.0.0d % openssl s_client -host imap.gmail.com -port 993 -verify 0
verify depth is 0
CONNECTED(00000004)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
3075614872:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1059:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 1659 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID: 2FA72DF43480C0FA6915471620298C1B1F669D3B4542A985EDF9137C9FF95234
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1303035213
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
1 dmaus at x60s ~/downloads/openssl-1.0.0d %

The -verify_return_error argument is not documented in the man-page
(or the help output) and I haven't found a way to turn it off.

Best,
  -- David
--
OpenPGP... 0x99ADB83B5A4478E6
Jabber.... dmjena at jabber.org
Email..... dmaus at ictsoc.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20110417/6a648d9e/attachment-0001.pgp>

More information about the Pkg-openssl-devel mailing list