I re-ran the test as follows to actually test the server side with only
the packaged executables.
I used this command for the server side:
/usr/bin/openssl s_server -key key.pem -cert cert.pem -status_file
openssl-1.1.1/test/recipes/ocsp-response.der -Verify 5
with ldd showing it loading its ssl & crypt libraries from
/usr/lib/x86_64-linux-gnu:
ldd /usr/bin/openmssl
linux-vdso.so.1 (0x00007ffe6ee65000)
libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1
(0x00007f44027c4000)
libcrypto.so.1.1 => /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x00007f44022f9000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f44020da000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f4401ce9000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f4401ae5000)
/lib64/ld-linux-x86-64.so.2 (0x00007f4402d04000)
I built the client from 18.06.16 source with tracing enabled and used it
for both tests and ran it with this command:
LD_LIBRARY_PATH=openssl-1.1.1/build_shared
openssl-1.1.1/build_shared/apps/openssl s_client -status -trace -cert
cert.pem -key key.pem
with ldd showing it loading its own libraries:
LD_LIBRARY_PATH=openssl-1.1.1/build_shared ldd
openssl-1.1.1/build_shared/apps/openssl
linux-vdso.so.1 (0x00007fff51ff9000)
libssl.so.1.1 => openssl-1.1.1/build_shared/libssl.so.1.1
(0x00007fc8c28b4000)
libcrypto.so.1.1 => openssl-1.1.1/build_shared/libcrypto.so.1.1
(0x00007fc8c23e9000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fc8c21ca000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc8c1dd9000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc8c1bd5000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc8c2dfe000)
The following logs show the difference between having:
ii openssl 1.1.1-1ubuntu2.1~18.04.15
amd64 Secure Sockets Layer toolkit - cryptographic
utility
and having:
ii openssl 1.1.1-1ubuntu2.1~18.04.16
amd64 Secure Sockets Layer toolkit - cryptographic
utility
ubuntu@bionic-lp-1940141:~$ grep -B1 -A4 CertificateRequest
s_client-18.04.16-from-source-with-trace_server-18.04.15-from-package.log
Inner Content Type = Handshake (22)
CertificateRequest, Length=1570
request_context (len=0):
extensions, length = 1567
extension_type=status_request(5), length=1521
0000 - 01 00 05 ed 30 82 05 e9-0a 01 00 a0 82 05 e2 ....0..........
ubuntu@bionic-lp-1940141:~$ grep -B1 -A4 CertificateRequest
s_client-18.04.16-from-source-with-trace_server-18.04.16-proposed-from-package.log
Inner Content Type = Handshake (22)
CertificateRequest, Length=45
request_context (len=0):
extensions, length = 42
extension_type=signature_algorithms(13), length=38
ecdsa_secp256r1_sha256 (0x0403)
This is indicative of the fix working.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940141
Title:
OpenSSL servers can send a non-empty status_request in a
CertificateRequest
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1940141/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
