[Bug 335225] Re: "openssl verify -CAfile mutil_ca.pem site.cert" fails even if mutil_ca.pem contains the chain for site.cert

Adrien Nader 335225 at bugs.launchpad.net
Mon Jul 17 20:13:52 UTC 2023 

I'm going to mark this bug as Won't Fix because we don't have a
confirmation and I can't tell if this was actually merged and/or fixed
in a new openssl version even though both seem likely.

** Changed in: openssl (Ubuntu)
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssl in Ubuntu.
https://bugs.launchpad.net/bugs/335225

Title:
  "openssl verify -CAfile mutil_ca.pem site.cert" fails even if
  mutil_ca.pem contains the chain for site.cert

Status in openssl package in Ubuntu:
  Won't Fix

Bug description:
  Binary package hint: openssl

  Verification fails even if the CAfile contains the CA root certificates chain
  for the site cert.

  Steps:

  I have a CAfile.pem (all these files attached in testfiles.tgz)
  contains lots of CA root certificates.
  I run the following command

  $ openssl verify -CAfile CAfile.pem aol.cert
  aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com
  error 20 at 0 depth lookup:unable to get local issuer certificate

  $ openssl verify -CAfile CAfile.pem akamai.cert
  akamai.cert: OK

  Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it
  to CAfile2.pem
  $ cat CAfile.pem aolca.pem > CAfile2.pem

  and run the following commands

  $ openssl verify -CAfile CAfile2.pem aol.cert
  aol.cert: OK

  $ openssl verify -CAfile CAfile2.pem akamai.cert
  akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net
  error 20 at 0 depth lookup:unable to get local issuer certificate

  The verification for aol.cert passes as expected, but failing to verify
  akamai.cert is unexpected.

  If I configure/compile openssl with "-d" option, openssl will fail to load the
  CAfile.pem

  $ openssl verify -CAfile CAfile.pem akamai.cert

   Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens.

  ElectricFence Exiting: mprotect() failed: Cannot allocate memory

  This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10
  If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/
  since openssl will try to load these CA root certificates as last
  resort.(or try it with strace to make sure openssl is not accessing them)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/335225/+subscriptions

More information about the foundations-bugs mailing list