#29970: openssl: default CApath not honored for tools built against openssl ---------------------------------+------------------------------------------ Reporter: dj_mook@… | Owner: mww@… Type: defect | Status: new Priority: Normal | Milestone: Component: ports | Version: 1.9.2 Keywords: | Port: openssl ---------------------------------+------------------------------------------ Changes (by macsforever2000@…): * owner: macports-tickets@… => mww@… * port: => openssl Old description:
If I install a certificate or certificate bundle to /opt/local/etc/openssl/certs and use c_rehash to generate the hashed symbolic link, openssl and tools linked against it (ie- wget) do not use the certificate.
The only way to get it to see the certificate is to append it to the cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in that file are honored.
To test this I do the following: - rename /opt/local/etc/openssl/cert.pem so it is not interfering with the test. - install google's cert chain (www.google.com,thawte,versign) to /opt/local/etc/openssl/certs/ - run /opt/local/bin/c_rehash to install the hashed links to the certs - run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect www.google.com:443 and succeed - run wget -O - https://www.google.com and fail with: ERROR: cannot verify www.google.com’s certificate, issued by “/C=/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA”: Unable to locally verify the issuer’s authority. - run lynx https://www.google.com and fail with: Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up encrypted.google.com Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Alert!: Unable to make secure connection to remote host.
lynx: Can't access startfile https://www.google.com/
- if the certificates are appended to /opt/local/etc/openssl/cert.pem then wget and lynx requests to https://www.google.com work
This issue affects all tools built again openssl.
New description: If I install a certificate or certificate bundle to /opt/local/etc/openssl/certs and use c_rehash to generate the hashed symbolic link, openssl and tools linked against it (ie- wget) do not use the certificate. The only way to get it to see the certificate is to append it to the cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in that file are honored. To test this I do the following: - rename /opt/local/etc/openssl/cert.pem so it is not interfering with the test. - install google's cert chain (www.google.com,thawte,versign) to /opt/local/etc/openssl/certs/ - run /opt/local/bin/c_rehash to install the hashed links to the certs - run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect www.google.com:443 and succeed - run wget -O - https://www.google.com and fail with: {{{ ERROR: cannot verify www.google.com’s certificate, issued by “/C=/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA”: Unable to locally verify the issuer’s authority. }}} - run lynx https://www.google.com and fail with: {{{ Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up encrypted.google.com Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Alert!: Unable to make secure connection to remote host. lynx: Can't access startfile https://www.google.com/ }}} - if the certificates are appended to /opt/local/etc/openssl/cert.pem then wget and lynx requests to https://www.google.com work This issue affects all tools built again openssl. -- Comment: I fixed it for you. In the future, look at WikiFormatting and use the Preview button. Also fill in the Port: field and Cc the maintainer as per the [http://guide.macports.org/#project.tickets Ticket Guidelines]. -- Ticket URL: <https://trac.macports.org/ticket/29970#comment:2> MacPorts <http://www.macports.org/> Ports system for Mac OS