[Bug 854927] Re: wget, curl can't verify certificates

Tue, 20 Sep 2011 12:50:50 -0700 

This has been traced to a broken hash directory:

11:40 < kirkland> lrwxrwxrwx 1 root root 19 2011-09-20 01:34 
/usr/lib/ssl/certs/55a10908.0 -> ca-certificates.crt
11:40 < kirkland> -rw-r--r-- 1 root root 240312 2011-09-20 01:32 
/usr/lib/ssl/certs/ca-certificates.crt

This is expected to point to the specific certificate file,
ValiCert_Class_2_VA.pem, instead; but on new installs since the latest
upload of the new upstream version of openssl, c_rehash is giving
preference to the ca-certificates bundle file over the individual cert
files, and libssl subsequently is unable to use ca-certificates.crt for
certificate validation.

I would definitely say there's a bug in openssl here, since c_rehash
shouldn't create symlinks that the library will be subsequently unable
to use; but I think we can work around it in ca-certificates by just
making sure the bundle file is moved out of the way at the time we're
calling c_rehash - since any time we call c_rehash we're regenerating
that bundle file anyway.

** Also affects: ca-certificates (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: ca-certificates (Ubuntu Oneiric)
       Status: New => In Progress

** Changed in: ca-certificates (Ubuntu Oneiric)
   Importance: Undecided => High

** Changed in: ca-certificates (Ubuntu Oneiric)
     Assignee: (unassigned) => Steve Langasek (vorlon)

** Changed in: ca-certificates (Ubuntu Oneiric)
    Milestone: None => ubuntu-11.10-beta-2

** Changed in: openssl (Ubuntu Oneiric)
    Milestone: ubuntu-11.10-beta-2 => ubuntu-11.10

** Changed in: openssl (Ubuntu Oneiric)
       Status: In Progress => Triaged

** Changed in: openssl (Ubuntu Oneiric)
     Assignee: (unassigned) => Colin Watson (cjwatson)

** Bug watch added: Debian Bug tracker #628780
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=628780

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/854927

Title:
  c_rehash creating bogus links to ca-certificates.crt

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/854927/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to