Hi Team, We have encountered an OpenSSL related upgrade issue in our product. We have opened a Bug in Bugzilla on RedHat development site. Below are the details of the bug:
Link: https://bugzilla.redhat.com/show_bug.cgi?id=912610 ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Description of problem: We have upgraded openssl from 0.9.8 to 1.0.1 and have found problem while trying to verify the certificate which was created using libraries of version 0.9.8. The verify command fails due to which client validation using the same certificate fails. netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl version WARNING: can't open config file: /usr/local/ssl/openssl.cnf OpenSSL 1.0.1 14 Mar 2012 netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl version WARNING: can't open config file: /usr/local/ssl/openssl.cnf OpenSSL 1.0.1 14 Mar 2012 netqf140:/etc/opt/ibm/icc/truststore # openssl version OpenSSL 0.9.8h 28 May 2008 netqf140:/etc/opt/ibm/icc/truststore # ll total 12 -rw------- 1 root root 981 Feb 18 05:22 a533da62.0 -rw------- 1 root root 977 Jan 11 05:17 aaada30a.0 -rw------- 1 root root 973 Jan 21 12:16 adcfb619.0 netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl verify -CApath /etc/opt/ibm/icc/truststore a533da62.0 WARNING: can't open config file: /usr/local/ssl/openssl.cnf a533da62.0: C = US, ST = NC, L = RTP, O = Director Development, OU = IBM Corporation, CN = IBM Director on 10.12.200.214 1327360788187 error 18 at 0 depth lookup:self signed certificate OK netqf140:/etc/opt/ibm/icc/truststore # openssl verify -CApath /etc/opt/ibm/icc/truststore a533da62.0 a533da62.0: OK netqf140:/etc/opt/ibm/icc/truststore # Version-Release number of selected component (if applicable): Problem seen with OpenSSL 1.0.1. Old version : OpenSSL 0.9.8h Same issue is seen if steps are vica-versa. How reproducible: Create a x-509 certificate using 0.9.8 and store it in truststore, upgrade Openssl and verify the old certificate using verify command. Error no 18 is seen for self signed certificate. Steps to Reproduce: 1. Create a x509 certificate and save the hash file in truststore. 2. upgrade openssl to 1.0.1 3. try to verify certificate using verifycommand and specify -CApath as truststore path. Actual results: netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl verify -CApath /etc/opt/ibm/icc/truststore a533da62.0 WARNING: can't open config file: /usr/local/ssl/openssl.cnf a533da62.0: C = US, ST = NC, L = RTP, O = Director Development, OU = IBM Corporation, CN = IBM Director on 10.12.200.214 1327360788187 error 18 at 0 depth lookup:self signed certificate OK Expected results: Error should not be reported during verify command. Additional info: Can you please help on this issue or provide a work-around which we can implement to solve the issue. Regards, Sushil ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org