[Bug 396818] Re: openssl s_client behaves strangely without CAPath

Håkon A. Hjortland 396818 at bugs.launchpad.net
Sun Apr 20 09:44:46 UTC 2014 

>From openssl 1.0.1-4ubuntu5.12 (I hope I traced the chain of functions
correctly):

apps/s_client.c:
--------------------------------------------------------------------------------
        if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
                (!SSL_CTX_set_default_verify_paths(ctx)))
                {
                /* BIO_printf(bio_err,"error setting default verify locations\n"); */
                ERR_print_errors(bio_err);
                /* goto end; */
                }
--------------------------------------------------------------------------------
(CAfile and CApath are the command line option values (NULL if not given).)

ssl/ssl_lib.c:
--------------------------------------------------------------------------------
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
                const char *CApath)
        {
        return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
        }
--------------------------------------------------------------------------------

crypto/x509/x509_d2.c:
--------------------------------------------------------------------------------
int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
                const char *path)
        {
        X509_LOOKUP *lookup;

        if (file != NULL)
                {
                lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
                if (lookup == NULL) return(0);
                if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
                    return(0);
                }
        if (path != NULL)
                {
                lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
                if (lookup == NULL) return(0);
                if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
                    return(0);
                }
        if ((path == NULL) && (file == NULL))
                return(0);
        return(1);
        }
--------------------------------------------------------------------------------

I think the problem is that (path == NULL) && (file == NULL) is treated as an error. That causes the s_client code to abort before it calls SSL_CTX_set_default_verify_paths. If (file != NULL) or (path != NULL) and no other errors are produced, SSL_CTX_set_default_verify_paths will get called. That's why we observe that "-CApath /nonsense" adds the default path. Additionally, loading an arbitrary CA file will work too:
openssl s_client -quiet -CAfile /etc/ssl/certs/Visa_eCommerce_Root.pem -connect google.com:443

It seems strange that default locations are loaded even when -CAfile or
-CApath is given, so in my opinion SSL_CTX_set_default_verify_paths
should only be called when (CAfile == NULL) && (CApath == NULL).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/396818

Title:
  openssl s_client behaves strangely without CAPath

Status in “openssl” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: openssl

  1) lsb_release -rd
  Description:    Ubuntu 8.04.2
  Release:        8.04

  2) apt-cache policy openssl
  openssl:
    Installed: 0.9.8g-4ubuntu3.7
    Candidate: 0.9.8g-4ubuntu3.7
    Version table:
   *** 0.9.8g-4ubuntu3.7 0
          500 http://us.archive.ubuntu.com hardy-updates/main Packages
          500 http://security.ubuntu.com hardy-security/main Packages
          100 /var/lib/dpkg/status
       0.9.8g-4ubuntu3 0
          500 http://us.archive.ubuntu.com hardy/main Packages

  3) openssl s_client -connect gmail.com:443 command should look into the CA directory to verify the cert of the site.
  4) example output:
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify error:num=20:unable to get local issuer certificate
  verify return:0
  Bad behaviour:
  openssl s_client -quiet -connect gmail.com:443 -CApath /dev/null
  depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
  verify return:1
  depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
  verify return:1
  depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
  verify return:1

  
  It looks the openssl does not honor the -CApath parameter and takes the default, but if you dont specify the -CApath it doesnt look the CA directory at all

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions

More information about the foundations-bugs mailing list