Hello, I'm working to upgrade apache reverse proxy server running in OpenBSD 6.5 to latest version 6.8 doing from scratch install. But in the 6.8 , there is something wrong using openssl and the -CApath directive. The issue is similar using openssl command or apache configuration.
In Apache (package apache-httpd), I put all my CA (root and intermediates) in /etc/ssl with corrects rights I created my hash files using openssl certhash command Apache is correctly configured with : Code : SSLCertificateFile server.crt SSLCertificateKeyFile /etc/ssl/private/server.key SSLCACertificatePath /etc/ssl/ When I try to connect using Web Browser, I get error UNKNOWN_CA_ALERT Apache logs : Code : Error (20): unable to get local issuer certificate The same configuration in OpenBSD 6.5 (actually in production) works fine. And I tried in OpenBSD 6.7, it's working fine too. If I create a CA bundle file with all my CA (bundle.pem) and I configure Apache with SSLCACertificateFile bundle.pem : It's OK, but it's not what I want :( Now, when I try directly using openssl command, I get the following issue : Code : openssl verify -CApath /etc/ssl server.crt server.crt: C = XX, O = YYYY, OU = WWWW, OU = VVVV, OU = ZZZZZ, CN = service.web.fr error 20 at 0 depth lookup: unable to get local issuer certificate C = XX, O = YYYY, OU = WWWW, OU = VVVV, OU = ZZZZZ, CN = service.web.fr error 20 at 0 depth lookup: unable to get local issuer certificate Result is KO. The same command in OpenBSD 6.5 and 6.7 is OK If I try with the bundle.pem previously created : Code : openssl verify -CAfile /etc/ssl/bundle.pem server.crt server.crt: OK It's OK Adding my CA in the default cert.pem (provided by OpenBSD) I tried : Code : openssl verify -CAfile /etc/ssl/cert.pem server.crt server.crt: OK It's OK, normal. but now, if I try with CApath Code : openssl verify -CApath /etc/ssl server.crt server.crt: OK It's very strange ?! Doing this command with ktrace show that only cert.pem is parsed using CApath option. other CA files using hash files are ignored. I tried in Apache with all my CA stored in cert.pem but it's still not working :( I don't find similar cases on google or mailing-list. I didn't find changelog about CApath parsing for the latest version, maybe it's a bug ? Many thanks in advance for your help Julien
