maemo.org Bugzilla – Bug 10069
possible OpenSSL bug with PEM certificate files (ordering of the certs in the file)
Last modified: 2010-05-20 20:17:54 UTC
You need to
before you can comment on or make changes to this bug.
EXACT STEPS LEADING TO PROBLEM:
I'm trying to use a PEM file containing a list of CA certificates for use with
libcurl. On my N900, OpenSSL fails to verify a SSL server certificate against
the list of CA certificates (even though the CA cert needed is in the file),
but if I include some other extraneous CA certs in the file, it works. Testing
the same files on my Mac (which also doesn't have a set of CA certificates
configured for OpenSSL) both files work fine.
Here's the commandline I'm testing with, I'll attach the certificate files in
openssl verify -CAfile test.crt -purpose sslserver crashreports.crt
View/O=Mozilla Corporation/OU=Mozilla Crash
error 20 at 0 depth lookup:unable to get local issuer certificate
Created an attachment (id=2669) [details]
This is the SSL server certificate (from https://crash-reports.mozilla.com).
Created an attachment (id=2670) [details]
This is test.crt, a PEM file of 133 CA certificates generated from NSS'
certlist.txt. Running openssl verify with this as the -CAfile on
crashreports.crt is successful on the N900.
Created an attachment (id=2671) [details]
This is test-fail.crt, a list of 120 CA certificates from the same
certlist.txt. The 13 certificates that are not listed in this file, but are
listed in test.crt are listed in certlist.txt as being trusted only for email
signing. None of them are the CA that signed crashreports.crt. This file
contains that CA's certificate, and yet the openssl verify command fails using
this file as the -CAfile option on the N900.
As another note, if I create a PEM file containing just the certificate for the
CA that signed crashreports.crt (Equifax), openssl verify succeeds on the N900.
It seems to have something to do with the ordering of the certs in the file. If
I reverse the order of all the certs in the file, it works fine.
(In reply to comment #0)
> Version: 1.2009.42-11.002
That version is quite old. Can you please update to a recent version
(3.2010.02-8, should be possible via Application Manager) and check if this
I've updated to 3.2010.02-8.002 and I can still reproduce the problem given the
steps provided here.