Bug 10069 (int-169980)

Summary: possible OpenSSL bug with PEM certificate files (ordering of the certs in the file)
Product: [Maemo Official Platform] Connectivity Reporter: Ted Mielczarek <ted.mielczarek>
Component: NetworkingAssignee: unassigned <nobody>
Status: UNCONFIRMED QA Contact: networking-bugs
Severity: normal    
Priority: Unspecified CC: andre_klapper
Version: 5.0/(3.2010.02-8)   
Target Milestone: ---   
Hardware: N900   
OS: Maemo   
Attachments: crashreports.crt

Description Ted Mielczarek (reporter) 2010-04-29 20:45:07 UTC
Maemo 5
Version: 1.2009.42-11.002

I'm trying to use a PEM file containing a list of CA certificates for use with
libcurl. On my N900, OpenSSL fails to verify a SSL server certificate against
the list of CA certificates (even though the CA cert needed is in the file),
but if I include some other extraneous CA certs in the file, it works. Testing
the same files on my Mac (which also doesn't have a set of CA certificates
configured for OpenSSL) both files work fine.

Here's the commandline I'm testing with, I'll attach the certificate files in
openssl verify -CAfile test.crt -purpose sslserver crashreports.crt

crashreports.crt: OK

View/O=Mozilla Corporation/OU=Mozilla Crash
error 20 at 0 depth lookup:unable to get local issuer certificate

Comment 1 Ted Mielczarek (reporter) 2010-04-29 20:47:38 UTC
Created an attachment (id=2669) [details]

This is the SSL server certificate (from https://crash-reports.mozilla.com).
Comment 2 Ted Mielczarek (reporter) 2010-04-29 20:49:14 UTC
Created an attachment (id=2670) [details]

This is test.crt, a PEM file of 133 CA certificates generated from NSS'
certlist.txt. Running openssl verify with this as the -CAfile on
crashreports.crt is successful on the N900.
Comment 3 Ted Mielczarek (reporter) 2010-04-29 20:50:49 UTC
Created an attachment (id=2671) [details]

This is test-fail.crt, a list of 120 CA certificates from the same
certlist.txt. The 13 certificates that are not listed in this file, but are
listed in test.crt are listed in certlist.txt as being trusted only for email
signing. None of them are the CA that signed crashreports.crt. This file
contains that CA's certificate, and yet the openssl verify command fails using
this file as the -CAfile option on the N900.
Comment 4 Ted Mielczarek (reporter) 2010-04-29 20:52:22 UTC
As another note, if I create a PEM file containing just the certificate for the
CA that signed crashreports.crt (Equifax), openssl verify succeeds on the N900.
Comment 5 Ted Mielczarek (reporter) 2010-04-29 21:43:44 UTC
It seems to have something to do with the ordering of the certs in the file. If
I reverse the order of all the certs in the file, it works fine.
Comment 6 Andre Klapper maemo.org 2010-05-12 19:14:52 UTC
Hi Ted,

(In reply to comment #0)
> Version: 1.2009.42-11.002

That version is quite old. Can you please update to a recent version
(3.2010.02-8, should be possible via Application Manager) and check if this
still happens?
Comment 7 Ted Mielczarek (reporter) 2010-05-20 17:28:37 UTC
I've updated to 3.2010.02-8.002 and I can still reproduce the problem given the
steps provided here.