Package: openssl Version: 1.0.0d-2 Severity: normal Tags: d-i
When connecting with openssl to for example, the Freenode irc network, with the following command: openssl s_client -CApath /etc/ssl/certs/ -connect chat.freenode.net:7000 Verification of the certificate fails. However, a command such as: openssl s_client -CAfile <( find /etc/ssl/certs/ -name '*.crt' -exec cat {} + ) -connect chat.freenode.net:7000 ....*does* succeed. Inspection of openssl with strace reveals: stat64("/usr/share/ca-certificates//b13cc6df.0", 0xbfc8badc) = -1 ENOENT (No such file or directory) The two consecutive slashes indicate an empty variable might be the cause, and openssl does not properly recurse through the certificate directories with the -CApath option. openssl then gives up with: Verify return code: 20 (unable to get local issuer certificate) This error affects an irc client like irssi as well, and a bug was filed against irssi, which should have been filed against openssl. Will notify irssi devs that this report was filed. Previous versions of Debian's openssl (0.9.8) were said not to exhibit the bug. One other non-Debian (Gentoo) using irssi user reported they *could* connect correctly using openssl-1.0.0d. The command using the -CAfile option above is an effective workaround. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.38-3.slh.2-aptosid-686 (SMP w/1 CPU core; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages openssl depends on: ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib ii libssl1.0.0 1.0.0d-2 SSL shared libraries ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime openssl recommends no packages. Versions of packages openssl suggests: ii ca-certificates 20090814+nmu3 Common CA certificates -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org