[Pkg-openssl-devel] Bug#623284: openssl: CApath option does not find certificates for verification

Michiel de Boer ltown2 at web.de
Tue Apr 19 00:54:47 UTC 2011 

Package: openssl
Version: 1.0.0d-2
Severity: normal
Tags: d-i


When connecting with openssl to for example, the Freenode irc network, with the following command:

openssl s_client -CApath /etc/ssl/certs/ -connect chat.freenode.net:7000

Verification of the certificate fails. However, a command such as:

openssl s_client -CAfile <( find /etc/ssl/certs/ -name '*.crt' -exec cat {} + ) -connect chat.freenode.net:7000

....*does* succeed. Inspection of openssl with strace reveals:

stat64("/usr/share/ca-certificates//b13cc6df.0", 0xbfc8badc) = -1 ENOENT (No such file or directory)

The two consecutive slashes indicate an empty variable might be the cause, and openssl
does not properly recurse through the certificate directories with the -CApath option.

openssl then gives up with:

Verify return code: 20 (unable to get local issuer certificate)

This error affects an irc client like irssi as well, and a bug was filed against irssi, which should
have been filed against openssl. Will notify irssi devs that this report was filed.

Previous versions of Debian's openssl (0.9.8) were said not to exhibit the bug.

One other non-Debian (Gentoo) using irssi user reported they *could* connect correctly using
openssl-1.0.0d.

The command using the -CAfile option above is an effective workaround.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.38-3.slh.2-aptosid-686 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssl depends on:
ii  libc6                   2.11.2-11        Embedded GNU C Library: Shared lib
ii  libssl1.0.0             1.0.0d-2         SSL shared libraries
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates            20090814+nmu3 Common CA certificates

-- no debconf information

More information about the Pkg-openssl-devel mailing list