[Pkg-openssl-devel] 1.1.1i autopkg failures

Kurt Roeckx kurt at roeckx.be
Sun Dec 13 15:45:25 GMT 2020 

On Sat, Dec 12, 2020 at 01:13:58PM +0100, Sebastian Andrzej Siewior wrote:
> Hi,
> 
> it settled down to m2crypto/0.36.0-1 and swi-prolog/8.2.3+dfsg-1.
> m2crypto/0.36.0-1 is due to
> |commit 2e06150e3928daa06d5ff70c32bffad8088ebe58
> |Author: André Klitzing <aklitzing at gmail.com>
> |Date:   Wed Mar 18 16:04:06 2020 +0100
> |
> |    Allow to continue on UNABLE_TO_VERIFY_LEAF_SIGNATURE
> |    
> |    This unifies the behaviour of a single certificate with
> |    an unknown CA certificate with a self-signed certificate.
> |    The user callback can mask that error to retrieve additional
> |    error information. So the user application can decide to
> |    abort the connection instead to be forced by openssl.
> |    
> |    This change in behaviour is backward compatible as user callbacks
> |    who don't want to ignore UNABLE_TO_VERIFY_LEAF_SIGNATURE will
> |    still abort the connection by default.
> |    
> |    CLA: trivial
> |    Fixes #11297
> |    
> |    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
> |    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
> |    (Merged from https://github.com/openssl/openssl/pull/11359)
> 
> it seems to fail in "verify_cb_new_function" due to "assert not ok"
> which triggers. Is this helping in any way?

Looking at tests/server.pem, it's not a self-signed certificate.

I can reproduce the error with 1.1.1h if I make this change:
--- tests/test_ssl.py.orig      2020-12-13 16:35:47.843854277 +0100
+++ tests/test_ssl.py   2020-12-13 16:33:58.442135560 +0100
@@ -74,6 +74,8 @@
     stack = store.get1_chain()
     assert len(stack) == 1
     assert stack[0].as_pem() == x509.as_pem()
+    if err == m2.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+        return 0
     return 1

So it's my understanding that before the PR, if the callback for
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE returned no error,
continue, the verify would return there is no error, but now the
verify can check other things, and so return an error becasue it's
not a self-signed certificate, and I guess the certificate is also
not placed in the trust store. That is, they used the feature that
if the callback returns X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
you can just accept the certificate.

> swi-prolog is another story. I installed h and it still fails…

Didn't have time to look at this yet.


Kurt

More information about the Pkg-openssl-devel mailing list