Bug 10069 - (int-169980) possible OpenSSL bug with PEM certificate files (ordering of the certs in the file)
(int-169980)
: possible OpenSSL bug with PEM certificate files (ordering of the certs in the...
Status: UNCONFIRMED
Product: Connectivity
Networking
: 5.0/(3.2010.02-8)
: N900 Maemo
: Unspecified normal (vote)
: ---
Assigned To: unassigned
: networking-bugs
:
:
:
:
  Show dependency tree
 
Reported: 2010-04-29 20:45 UTC by Ted Mielczarek
Modified: 2010-05-20 20:17 UTC (History)
1 user (show)

See Also:


Attachments
crashreports.crt (1.16 KB, text/plain)
2010-04-29 20:47 UTC, Ted Mielczarek
Details
test.crt (192.86 KB, text/plain)
2010-04-29 20:49 UTC, Ted Mielczarek
Details
test-fail.crt (175.06 KB, text/plain)
2010-04-29 20:50 UTC, Ted Mielczarek
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description Ted Mielczarek (reporter) 2010-04-29 20:45:07 UTC
SOFTWARE VERSION:
Maemo 5
Version: 1.2009.42-11.002


EXACT STEPS LEADING TO PROBLEM:
I'm trying to use a PEM file containing a list of CA certificates for use with
libcurl. On my N900, OpenSSL fails to verify a SSL server certificate against
the list of CA certificates (even though the CA cert needed is in the file),
but if I include some other extraneous CA certs in the file, it works. Testing
the same files on my Mac (which also doesn't have a set of CA certificates
configured for OpenSSL) both files work fine.

Here's the commandline I'm testing with, I'll attach the certificate files in
question:
openssl verify -CAfile test.crt -purpose sslserver crashreports.crt

EXPECTED OUTCOME:
crashreports.crt: OK

ACTUAL OUTCOME:
crashreports.crt:
/serialNumber=lnjbu/qRW/jwP/DQqG4ANL3CQgedx6wn/C=US/ST=California/L=Mountain
View/O=Mozilla Corporation/OU=Mozilla Crash
Reports/CN=crash-reports.mozilla.com
error 20 at 0 depth lookup:unable to get local issuer certificate

REPRODUCIBILITY:
always
Comment 1 Ted Mielczarek (reporter) 2010-04-29 20:47:38 UTC
Created an attachment (id=2669) [details]
crashreports.crt

This is the SSL server certificate (from https://crash-reports.mozilla.com).
Comment 2 Ted Mielczarek (reporter) 2010-04-29 20:49:14 UTC
Created an attachment (id=2670) [details]
test.crt

This is test.crt, a PEM file of 133 CA certificates generated from NSS'
certlist.txt. Running openssl verify with this as the -CAfile on
crashreports.crt is successful on the N900.
Comment 3 Ted Mielczarek (reporter) 2010-04-29 20:50:49 UTC
Created an attachment (id=2671) [details]
test-fail.crt

This is test-fail.crt, a list of 120 CA certificates from the same
certlist.txt. The 13 certificates that are not listed in this file, but are
listed in test.crt are listed in certlist.txt as being trusted only for email
signing. None of them are the CA that signed crashreports.crt. This file
contains that CA's certificate, and yet the openssl verify command fails using
this file as the -CAfile option on the N900.
Comment 4 Ted Mielczarek (reporter) 2010-04-29 20:52:22 UTC
As another note, if I create a PEM file containing just the certificate for the
CA that signed crashreports.crt (Equifax), openssl verify succeeds on the N900.
Comment 5 Ted Mielczarek (reporter) 2010-04-29 21:43:44 UTC
It seems to have something to do with the ordering of the certs in the file. If
I reverse the order of all the certs in the file, it works fine.
Comment 6 Andre Klapper maemo.org 2010-05-12 19:14:52 UTC
Hi Ted,

(In reply to comment #0)
> Version: 1.2009.42-11.002

That version is quite old. Can you please update to a recent version
(3.2010.02-8, should be possible via Application Manager) and check if this
still happens?
Comment 7 Ted Mielczarek (reporter) 2010-05-20 17:28:37 UTC
I've updated to 3.2010.02-8.002 and I can still reproduce the problem given the
steps provided here.