Package: openssl
Version: 1.0.2d-1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
It looks like openssl s_client is not providing any way to disregard the
system's trusted CAs anymore... and this is a regression from Jessie.
with 1.0.2d-1 (sid)
$strace -f -e open openssl s_client -no_alt_chains -CAfile /dev/null -CApath
/var/empty/ -connect imap.gmail.com:imaps
....
open("/usr/lib/ssl/certs/578d5c04.0", O_RDONLY) = 4
....
Verify return code: 0 (ok)
with 1.0.1k-3+deb8u1 (Jessie)
$openssl s_client -CAfile /dev/null -CApath /var/empty/ -connect
imap.gmail.com:imaps
....
Verify return code: 20 (unable to get local issuer certificate)
other options like -verify_return_error don't seem to help either...
Three questions spring to mind:
- How can we get it to do what's expected? (new options have been
introduced... but I can't seem to find the equivalent of -trusted for openssl
verify)
- Is it sane to change the behaviour like that without documenting it?
Regards,
Florent
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.19-19
ii libssl1.0.0 1.0.2d-1
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20150426
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
