maemo.org Bugzilla – Bug 10069
possible OpenSSL bug with PEM certificate files (ordering of the certs in the file)
Last modified: 2010-05-20 20:17:54 UTC
You need to log in before you can comment on or make changes to this bug.
SOFTWARE VERSION: Maemo 5 Version: 1.2009.42-11.002 EXACT STEPS LEADING TO PROBLEM: I'm trying to use a PEM file containing a list of CA certificates for use with libcurl. On my N900, OpenSSL fails to verify a SSL server certificate against the list of CA certificates (even though the CA cert needed is in the file), but if I include some other extraneous CA certs in the file, it works. Testing the same files on my Mac (which also doesn't have a set of CA certificates configured for OpenSSL) both files work fine. Here's the commandline I'm testing with, I'll attach the certificate files in question: openssl verify -CAfile test.crt -purpose sslserver crashreports.crt EXPECTED OUTCOME: crashreports.crt: OK ACTUAL OUTCOME: crashreports.crt: /serialNumber=lnjbu/qRW/jwP/DQqG4ANL3CQgedx6wn/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=Mozilla Crash Reports/CN=crash-reports.mozilla.com error 20 at 0 depth lookup:unable to get local issuer certificate REPRODUCIBILITY: always
Created an attachment (id=2669) [details] crashreports.crt This is the SSL server certificate (from https://crash-reports.mozilla.com).
Created an attachment (id=2670) [details] test.crt This is test.crt, a PEM file of 133 CA certificates generated from NSS' certlist.txt. Running openssl verify with this as the -CAfile on crashreports.crt is successful on the N900.
Created an attachment (id=2671) [details] test-fail.crt This is test-fail.crt, a list of 120 CA certificates from the same certlist.txt. The 13 certificates that are not listed in this file, but are listed in test.crt are listed in certlist.txt as being trusted only for email signing. None of them are the CA that signed crashreports.crt. This file contains that CA's certificate, and yet the openssl verify command fails using this file as the -CAfile option on the N900.
As another note, if I create a PEM file containing just the certificate for the CA that signed crashreports.crt (Equifax), openssl verify succeeds on the N900.
It seems to have something to do with the ordering of the certs in the file. If I reverse the order of all the certs in the file, it works fine.
Hi Ted, (In reply to comment #0) > Version: 1.2009.42-11.002 That version is quite old. Can you please update to a recent version (3.2010.02-8, should be possible via Application Manager) and check if this still happens?
I've updated to 3.2010.02-8.002 and I can still reproduce the problem given the steps provided here.