[Pkg-openssl-devel] Package using openssl functions does not find default certificates

Jan Dittberner jandd at debian.org
Mon Jan 4 22:50:10 UTC 2016 

reassign 805646 openssl
thanks

Dear openssl maintainers,

Daniel Pocock filed this bug for the package nagios-check-xmppng that I
maintain.

After some analysis I found out that the paths returned from the Python
interpreter don't match the default Debian certificate paths (/etc/ssl/certs
and /etc/ssl/certs/ca-certificates.crt) where the ca-certificates package
installs the default trusted certificates.

I had a discussion in #debian-python whether this is an issue with the
Python interpreter but the Python maintainer Matthias Klose told me that
Python just uses openssl internal functions [1], [2] only and does no magic
path calculation or certificate loading by itself.

[1] https://hg.python.org/cpython/file/v3.5.0/Modules/_ssl.c#l3197
[2] https://hg.python.org/cpython/file/v3.5.0/Modules/_ssl.c#l3950

According to my tests documented earlier in this bug report the returned
paths are /usr/lib/ssl/certs and /usr/lib/ssl/cert.pem. The first exists and
is a directory but the second does not exist.

I expected that given the correct /usr/lib/ssl/certs path the function
SSL_CTX_set_default_verify_paths should successfully load the default
trusted certificates but it does not.

One more test today revealed that symlinking
/etc/ssl/certs/ca-certificates.crt to /usr/lib/ssl/cert.pem fixes the issue:

 >>> import ssl
 >>> context = ssl.create_default_context()
 >>> context.load_default_certs()
 >>> context.cert_store_stats()
 {'crl': 0, 'x509_ca': 177, 'x509': 177}

I don't know whether this will have negative side effects but from my point
of view it would be nice if the openssl package would do one of the
following to properly solve this issue:

1) properly load certificates from /etc/ssl/certs when
   SSL_CTX_set_default_verify_paths is called

2) change the default paths to /etc/ssl/certs and
   /etc/ssl/certs/ca-certificates.crt instead of /usr/lib/ssl/certs and
   /usr/lib/ssl/cert.pem

3) provide a symlink from /usr/lib/ssl/cert.pem to
   /etc/ssl/certs/ca-certificates.crt


Best regards
Jan Dittberner

-- 
Jan Dittberner - Debian Developer
GPG-key: 4096R/558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://portfolio.debian.net/ - https://people.debian.org/~jandd/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20160104/6e96f9cd/attachment-0001.sig>

More information about the Pkg-openssl-devel mailing list