[Bug 335225] Re: "openssl verify -CAfile mutil_ca.pem site.cert" fails even if mutil_ca.pem contains the chain for site.cert

Maarten Bezemer maarten.bezemer at gmail.com
Fri May 11 10:42:23 UTC 2012 

Thank you for taking the time to report this bug and helping to make
Ubuntu better. We are sorry that we do not always have the capacity to
look at all reported bugs in a timely manner. There have been many
changes in Ubuntu since that time you reported the bug and your problem
may have been fixed with some of the updates. It would help us a lot if
you could test it on a currently supported Ubuntu version. When you test
it and it is still an issue, kindly upload the updated logs by running
apport-collect 335225 and any other logs that are relevant for this
particular issue.

** Changed in: openssl (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/335225

Title:
  "openssl verify -CAfile mutil_ca.pem site.cert" fails even if
  mutil_ca.pem contains the chain for site.cert

Status in “openssl” package in Ubuntu:
  Incomplete

Bug description:
  Binary package hint: openssl

  Verification fails even if the CAfile contains the CA root certificates chain
  for the site cert.

  Steps:

  I have a CAfile.pem (all these files attached in testfiles.tgz)
  contains lots of CA root certificates.
  I run the following command

  $ openssl verify -CAfile CAfile.pem aol.cert
  aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com
  error 20 at 0 depth lookup:unable to get local issuer certificate

  $ openssl verify -CAfile CAfile.pem akamai.cert
  akamai.cert: OK

  Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
  to CAfile2.pem
  $ cat CAfile.pem aolca.pem > CAfile2.pem

  and run the following commands

  $ openssl verify -CAfile CAfile2.pem aol.cert
  aol.cert: OK

  $ openssl verify -CAfile CAfile2.pem akamai.cert
  akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
  error 20 at 0 depth lookup:unable to get local issuer certificate

  The verification for aol.cert passes as expected, but failing to verify
  akamai.cert is unexpected.

  If I configure/compile openssl with "-d" option, openssl will fail to load the
  CAfile.pem

  $ openssl verify -CAfile CAfile.pem akamai.cert

   Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.

  ElectricFence Exiting: mprotect() failed: Cannot allocate memory

  This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
  If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
  since openssl will try to load these CA root certificates as last
  resort.(or try it with strace to make sure openssl is not accessing them)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/335225/+subscriptions

More information about the foundations-bugs mailing list