** Description changed: Binary package hint: openssl Verification fails even if the CAfile contains the CA root certificates chain for the site cert. Steps: I have a CAfile.pem (all these files attached in testfiles.tgz) contains lots of CA root certificates. I run the following command $ openssl verify -CAfile CAfile.pem aol.cert aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -CAfile CAfile.pem akamai.cert akamai.cert: OK Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it to CAfile2.pem $ cat CAfile.pem aolca.pem > CAfile2.pem - - Hide quoted text - and run the following commands $ openssl verify -CAfile CAfile2.pem aol.cert aol.cert: OK $ openssl verify -CAfile CAfile2.pem akamai.cert akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net error 20 at 0 depth lookup:unable to get local issuer certificate The verification for aol.cert passes as expected, but failing to verify akamai.cert is unexpected. If I configure/compile openssl with "-d" option, openssl will fail to load the CAfile.pem $ openssl verify -CAfile CAfile.pem akamai.cert Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ElectricFence Exiting: mprotect() failed: Cannot allocate memory This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10 If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/ since openssl will try to load these CA root certificates as last resort.(or try it with strace to make sure openssl is not accessing them)
-- "openssl verify -CAfile mutil_ca.pem site.cert" fails even if mutil_ca.pem contains the chain for site.cert https://bugs.launchpad.net/bugs/335225 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
