Bug 10069 – possible OpenSSL bug with PEM certificate files (ordering of the certs in the file)

Bug 10069 - (int-169980) possible OpenSSL bug with PEM certificate files (ordering of the certs in the file)

(int-169980)
Summary:	possible OpenSSL bug with PEM certificate files (ordering of the certs in the...

Status:	UNCONFIRMED

Product:	Connectivity
Component:	Networking
Version:	5.0/(3.2010.02-8)
Platform:	N900 Maemo

Importance:	Unspecified normal (vote)
Target Milestone:	---
Assigned To:	unassigned
QA Contact:	networking-bugs

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree

Reported:	2010-04-29 20:45 UTC by Ted Mielczarek
Modified:	2010-05-20 20:17 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
crashreports.crt (1.16 KB, text/plain) 2010-04-29 20:47 UTC, Ted Mielczarek	Details
test.crt (192.86 KB, text/plain) 2010-04-29 20:49 UTC, Ted Mielczarek	Details
test-fail.crt (175.06 KB, text/plain) 2010-04-29 20:50 UTC, Ted Mielczarek	Details
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description Ted Mielczarek (reporter) 2010-04-29 20:45:07 UTC

SOFTWARE VERSION:
Maemo 5
Version: 1.2009.42-11.002


EXACT STEPS LEADING TO PROBLEM:
I'm trying to use a PEM file containing a list of CA certificates for use with
libcurl. On my N900, OpenSSL fails to verify a SSL server certificate against
the list of CA certificates (even though the CA cert needed is in the file),
but if I include some other extraneous CA certs in the file, it works. Testing
the same files on my Mac (which also doesn't have a set of CA certificates
configured for OpenSSL) both files work fine.

Here's the commandline I'm testing with, I'll attach the certificate files in
question:
openssl verify -CAfile test.crt -purpose sslserver crashreports.crt

EXPECTED OUTCOME:
crashreports.crt: OK

ACTUAL OUTCOME:
crashreports.crt:
/serialNumber=lnjbu/qRW/jwP/DQqG4ANL3CQgedx6wn/C=US/ST=California/L=Mountain
View/O=Mozilla Corporation/OU=Mozilla Crash
Reports/CN=crash-reports.mozilla.com
error 20 at 0 depth lookup:unable to get local issuer certificate

REPRODUCIBILITY:
always

Comment 1 Ted Mielczarek (reporter) 2010-04-29 20:47:38 UTC

Created an attachment (id=2669) [details]
crashreports.crt

This is the SSL server certificate (from https://crash-reports.mozilla.com).

Comment 2 Ted Mielczarek (reporter) 2010-04-29 20:49:14 UTC

Created an attachment (id=2670) [details]
test.crt

This is test.crt, a PEM file of 133 CA certificates generated from NSS'
certlist.txt. Running openssl verify with this as the -CAfile on
crashreports.crt is successful on the N900.

Comment 3 Ted Mielczarek (reporter) 2010-04-29 20:50:49 UTC

Created an attachment (id=2671) [details]
test-fail.crt

This is test-fail.crt, a list of 120 CA certificates from the same
certlist.txt. The 13 certificates that are not listed in this file, but are
listed in test.crt are listed in certlist.txt as being trusted only for email
signing. None of them are the CA that signed crashreports.crt. This file
contains that CA's certificate, and yet the openssl verify command fails using
this file as the -CAfile option on the N900.

Comment 4 Ted Mielczarek (reporter) 2010-04-29 20:52:22 UTC

As another note, if I create a PEM file containing just the certificate for the
CA that signed crashreports.crt (Equifax), openssl verify succeeds on the N900.

Comment 5 Ted Mielczarek (reporter) 2010-04-29 21:43:44 UTC

It seems to have something to do with the ordering of the certs in the file. If
I reverse the order of all the certs in the file, it works fine.

Comment 6 Andre Klapper maemo.org

2010-05-12 19:14:52 UTC

Hi Ted,

(In reply to comment #0)
> Version: 1.2009.42-11.002

That version is quite old. Can you please update to a recent version
(3.2010.02-8, should be possible via Application Manager) and check if this
still happens?

Comment 7 Ted Mielczarek (reporter) 2010-05-20 17:28:37 UTC

I've updated to 3.2010.02-8.002 and I can still reproduce the problem given the
steps provided here.