I noticed that our CA store (/usr/local/ssl/cacert.pem) was pretty old, with some expired certificates in it, etc.
I exported the certificate list out of a Windows firefox and put that in place and I thought things were fine. I did 'openssl verify' on a few of our certificates from different vendors and all looked good. Every certificate in this new CA list gave output from 'openssl x509 -text' without complaint. Then I found that people complained that alpine didn't work. That's a mail client to our imap server. It was compiled with the openssl library. alpine is out of the University of Washington, and their distribution site says they only take questions from their own population. The problem is that when it is starting, it binds up in STARTTLS. I checked that 'openssl verify' still worked on the mail server certificate against the new CA list. I found that if I cut down our CA list to the certs for the issuing CA, that alpine worked ok as well. Actually, lots of certs can be in the CA list, but not all of them. Maybe I could use trial and error and snip out some of the ~200 of them and run with the remaining list that alpine still liked. By "binding up", it keeps displaying a changing pattern indicating "I'm working on it", so it's not a loop in openssl; it must be returning to alpine to let it do its display before trying again, or whatever it's doing. I guess I could cut the CA list down to CAs we used on campus, but applications that reach across the Internet might have issues. I guess people may have been already having issues with expired CA certs in that prior list, of course. Anyway, it smells like something that a memory management problem would cause, like not leaving enough space for a certificate, or issuer name, or subject name, or something. However, I don't know how alpine could cause such interference with openssl. We had been using an old alpine, v1.10, but I grabbed v2.00 and compiled and linked it with current openssl and it has the same symptoms. Can anyone suggest how a program using the openssl libraries to verify certificates could do something that would trash the verification process? I'm sorry to bother the list with this, but it would really help me to focus on a particular set of calls, since the alternative is trying to both debug alpine while learning the openssl calls as well. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
