On 2020/11/23 15:57, Julien Robert wrote: > Hello, > > I'm working to upgrade apache reverse proxy server running in OpenBSD 6.5 > to latest version 6.8 doing from scratch install. > But in the 6.8 , there is something wrong using openssl and the -CApath > directive. > The issue is similar using openssl command or apache configuration.
I think this may be an occurence of the bug that was fixed in src/lib/libcrypto/x509/x509_verify.c revision 1.17 in -current. --------------------- PatchSet 3181 Date: 2020/11/03 17:22:45 Author: jsing Branch: HEAD Tag: (none) Log: Hook X509_STORE_CTX get_issuer() callback from new X509 verifier. If we fail to find a parent certificate from either the supplied roots or intermediates and we have a X509_STORE_CTX, call its get_issuer() callback to see if it can supply a suitable certificate. This makes things like certificates by directory (aka by_dir) work correctly. Issue noted by Uwe Werler <[email protected]> ok beck@ tb@ Members: x509/x509_verify.c:1.16->1.17 Index: src/lib/libcrypto/x509/x509_verify.c diff -u src/lib/libcrypto/x509/x509_verify.c:1.16 src/lib/libcrypto/x509/x509_verify.c:1.17 --- src/lib/libcrypto/x509/x509_verify.c:1.16 Mon Oct 26 12:01:01 2020 +++ src/lib/libcrypto/x509/x509_verify.c Tue Nov 3 17:22:45 2020 @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.16 2020/10/26 12:01:01 tb Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.17 2020/11/03 17:22:45 jsing Exp $ */ /* * Copyright (c) 2020 Bob Beck <[email protected]> * @@ -401,7 +401,7 @@ { unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 }; X509 *candidate; - int i, depth, count; + int i, depth, count, ret; depth = sk_X509_num(current_chain->certs); if (depth > 0) @@ -428,7 +428,6 @@ cert_md, 1, candidate, current_chain); } } - if (ctx->intermediates != NULL) { for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { candidate = sk_X509_value(ctx->intermediates, i); @@ -438,6 +437,21 @@ } } } + if (ctx->xsc != NULL) { + if ((ret = ctx->xsc->get_issuer(&candidate, ctx->xsc, cert)) < 0) { + x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_STORE_LOOKUP, 0); + return; + } + if (ret > 0) { + if (x509_verify_potential_parent(ctx, candidate, cert)) { + x509_verify_consider_candidate(ctx, cert, + cert_md, 1, candidate, current_chain); + } + X509_free(candidate); + } + } + if (ctx->chains_count > count) { if (ctx->xsc != NULL) { ctx->xsc->error = X509_V_OK;
