A clean build of openssl-1.0.0 (./config run without parameters) does not use the hashed certificate files from -CApath and fails certificate verification. The same behavior is seen when using openssl via the openssl s_client command as well as the library with curl 7.20.0. The system used here is debian lenny (5.0.4) without any openssl development packages installed. gcc 4.3.2-1.1 and 4.2.4-6 have been tested with identical results. make tests runs successfully:
Zlib not supported: compression tests skipped ALL TESTS SUCCESSFUL. When supplied with an appropriate .pem fils as -CAfile, certificate authentication succeeds. Curl behaviour can be tested e.g. via curl -v --cacert /var/tmp/ca/root.crt --capath /var/tmp/ca/hash "https://www.google.com/"; fails with openssl 1.0.0, but works with 0.9.8m $ strace -e open ./apps/openssl s_client -CApath /var/tmp/ca/hash -CAfile /var/tmp/ca/root.crt -connect www.google.com:443 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/libdl.so.2", O_RDONLY) = 3 open("/lib/libc.so.6", O_RDONLY) = 3 open("/usr/local/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) WARNING: can't open config file: /usr/local/ssl/openssl.cnf open("/proc/meminfo", O_RDONLY) = 3 open("/root/.rnd", O_RDONLY) = 3 open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3 open("/var/tmp/ca/root.crt", O_RDONLY|O_LARGEFILE) = 3 open("/usr/local/ssl/cert.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/resolv.conf", O_RDONLY) = 3 open("/etc/resolv.conf", O_RDONLY) = 3 open("/etc/nsswitch.conf", O_RDONLY) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/libnss_files.so.2", O_RDONLY) = 3 open("/etc/host.conf", O_RDONLY) = 3 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/libnss_dns.so.2", O_RDONLY) = 3 open("/lib/libresolv.so.2", O_RDONLY) = 3 CONNECTED(00000003) depth=1 C = ZA, O = Thawte Consulting (Pty) Ltd., CN = Thawte SGC CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L 05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5 u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6 z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1902 bytes and written 396 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: 556A0D8370C574309889C4067A82D88E778C0872B810D929C4F568CE68F7514B Session-ID-ctx: Master-Key: 429F02DDECFED4F0761D71A890AFD6ECBD4FA837539DF73437222C6B0761ECCD5061BFFE16D24DF42E90DC59200950EE Key-Arg : None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 1a b6 4a e9 9e fd 36 e2-74 0a 05 ba 4c bf b3 d3 ..J...6.t...L... 0010 - 8b c0 3e 33 ca 49 f2 f2-e2 96 6f 9b 77 62 08 31 ..>3.I....o.wb.1 0020 - a3 68 58 eb 04 df b1 6c-48 de e2 33 62 ce 7d a6 .hX....lH..3b.}. 0030 - bd 12 1d 92 fd b4 f2 96-e7 ab 2e da dc 29 10 63 .............).c 0040 - 83 1a de 7e 1c 0e e3 2f-1b 99 53 0d 8c e4 c8 8f ...~.../..S..... 0050 - 12 77 2f 70 94 ef f6 33-73 c2 72 e2 61 c4 24 12 .w/p...3s.r.a.$. 0060 - c2 48 ae da 52 e1 c9 ef-99 25 8f bd 1e 6a f0 8e .H..R....%...j.. 0070 - 57 35 22 62 eb 3e de 2d-de 35 c7 2e bc f2 77 2d W5"b.>.-.5....w- 0080 - 0e d5 c2 ee 8a 6f 79 d3-e5 7e 5e e5 8d 2a 82 d5 .....oy..~^..*.. 0090 - de 7b 10 90 .{.. Start Time: 1270564167 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- The same command line woks as expected with debian's 0.9.8g or any of our 0.9.8m builds. Note that /var/tmp/ca/hash/7651b327.0 is read, which openssl 1.0.0 does not even try to open: $ strace -e open `which openssl` s_client -CApath /var/tmp/ca/hash -CAfile /var/tmp/ca/root.crt -connect www.google.com:443 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/i686/cmov/libssl.so.0.9.8", O_RDONLY) = 3 open("/usr/lib/i686/cmov/libcrypto.so.0.9.8", O_RDONLY) = 3 open("/lib/libdl.so.2", O_RDONLY) = 3 open("/usr/lib/libz.so.1", O_RDONLY) = 3 open("/lib/libc.so.6", O_RDONLY) = 3 open("/usr/lib/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3 open("/proc/meminfo", O_RDONLY) = 3 open("/root/.rnd", O_RDONLY) = 3 open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3 open("/var/tmp/ca/root.crt", O_RDONLY|O_LARGEFILE) = 3 open("/usr/lib/ssl/cert.pem", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory) open("/etc/resolv.conf", O_RDONLY) = 3 open("/etc/resolv.conf", O_RDONLY) = 3 open("/etc/nsswitch.conf", O_RDONLY) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/libnss_files.so.2", O_RDONLY) = 3 open("/etc/host.conf", O_RDONLY) = 3 open("/etc/hosts", O_RDONLY|O_CLOEXEC) = 3 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/lib/libnss_dns.so.2", O_RDONLY) = 3 open("/lib/libresolv.so.2", O_RDONLY) = 3 CONNECTED(00000003) open("/var/tmp/ca/hash/7651b327.0", O_RDONLY|O_LARGEFILE) = 4 open("/etc/localtime", O_RDONLY) = 4 depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA verify return:1 depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA 1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIDITCCAoqgAwIBAgIQL9+89q6RUm0PmqPfQDQ+mjANBgkqhkiG9w0BAQUFADBM MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0wOTEyMTgwMDAwMDBaFw0x MTEyMTgyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC gYEA6PmGD5D6htffvXImttdEAoN4c9kCKO+IRTn7EOh8rqk41XXGOOsKFQebg+jN gtXj9xVoRaELGYW84u+E593y17iYwqG7tcFR39SDAqc9BkJb4SLD3muFXxzW2k6L 05vuuWciKh0R73mkszeK9P4Y/bz5RiNQl/Os/CRGK1w7t0UCAwEAAaOB5zCB5DAM BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0 ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF AAOBgQCfQ89bxFApsb/isJr/aiEdLRLDLE5a+RLizrmCUi3nHX4adpaQedEkUjh5 u2ONgJd8IyAPkU0Wueru9G2Jysa9zCRo1kNbzipYvzwY4OA8Ys+WAi0oR1A04Se6 z5nRUP8pJcA2NhUzUnC+MY+f6H/nEQyNv4SgQhqAibAxWEEHXw== -----END CERTIFICATE----- subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA --- No client certificate CA names sent --- SSL handshake has read 1765 bytes and written 304 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-SHA Session-ID: EE614864B9D68D40D04933F585D0FDC5B5DB6FA376930AE67B86838559867A02 Session-ID-ctx: Master-Key: 0B6ED48F4446947B3C6AF67173D5D99E34E411FC3B9F66BD8F3104B5A797C0A50E3CD580687C799376E29F51F1B89668 Key-Arg : None Start Time: 1270564124 Timeout : 300 (sec) Verify return code: 0 (ok) --- $ ls -l /var/tmp/ca/hash/76* /var/tmp/ca lrwxrwxrwx 1 root root 59 Apr 6 16:27 /var/tmp/ca/hash/7651b327.0 -> Verisign_Class_3_Public_Primary_Certification_Authority.pem lrwxrwxrwx 1 root root 24 Apr 6 16:27 /var/tmp/ca/hash/76579174.0 -> XRamp_Global_CA_Root.pem /var/tmp/ca: total 24 drwxr-xr-x 2 root root 20480 Apr 1 18:45 hash -rw-r--r-- 1 root root 2569 Apr 6 16:27 root.crt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
