Opened 13 years ago
Last modified 11 years ago
#29970 closed defect
openssl: default CApath not honored for tools built against openssl — at Initial Version
Reported by: | dj_mook@… | Owned by: | macports-tickets@… |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | 1.9.2 |
Keywords: | Cc: | ||
Port: | openssl |
Description
If I install a certificate or certificate bundle to /opt/local/etc/openssl/certs and use c_rehash to generate the hashed symbolic link, openssl and tools linked against it (ie- wget) do not use the certificate.
The only way to get it to see the certificate is to append it to the cafile location of /opt/local/etc/openssl/cert.pem. Only certificates in that file are honored.
To test this I do the following:
- rename /opt/local/etc/openssl/cert.pem so it is not interfering with the test.
- install google's cert chain (www.google.com,thawte,versign) to /opt/local/etc/openssl/certs/
- run /opt/local/bin/c_rehash to install the hashed links to the certs
- run openssl s_client -CApath /opt/local/etc/openssl/certs/ -connect www.google.com:443 and succeed
- run wget -O - https://www.google.com and fail with:
ERROR: cannot verify www.google.com’s certificate, issued by “/C=/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA”:
Unable to locally verify the issuer’s authority.
- run lynx https://www.google.com and fail with:
Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Retrying connection without TLS. Looking up encrypted.google.com Making HTTPS connection to encrypted.google.com SSL callback:unable to get local issuer certificate, preverify_ok=0, ssl_okay=0 Alert!: Unable to make secure connection to remote host.
lynx: Can't access startfile https://www.google.com/
- if the certificates are appended to /opt/local/etc/openssl/cert.pem then wget and lynx requests to https://www.google.com work
This issue affects all tools built again openssl.