[openssl.org #2994] OpenSSL upgrade issue
Solution is as described: re-run c_rehash -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2994] OpenSSL upgrade issue
Hi Team, We have encountered an OpenSSL related upgrade issue in our product. We have opened a Bug in Bugzilla on RedHat development site. Below are the details of the bug: Link: https://bugzilla.redhat.com/show_bug.cgi?id=912610 -- Description of problem: We have upgraded openssl from 0.9.8 to 1.0.1 and have found problem while trying to verify the certificate which was created using libraries of version 0.9.8. The verify command fails due to which client validation using the same certificate fails. netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl version WARNING: can't open config file: /usr/local/ssl/openssl.cnf OpenSSL 1.0.1 14 Mar 2012 netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl version WARNING: can't open config file: /usr/local/ssl/openssl.cnf OpenSSL 1.0.1 14 Mar 2012 netqf140:/etc/opt/ibm/icc/truststore # openssl version OpenSSL 0.9.8h 28 May 2008 netqf140:/etc/opt/ibm/icc/truststore # ll total 12 -rw--- 1 root root 981 Feb 18 05:22 a533da62.0 -rw--- 1 root root 977 Jan 11 05:17 aaada30a.0 -rw--- 1 root root 973 Jan 21 12:16 adcfb619.0 netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl verify -CApath /etc/opt/ibm/icc/truststore a533da62.0 WARNING: can't open config file: /usr/local/ssl/openssl.cnf a533da62.0: C = US, ST = NC, L = RTP, O = Director Development, OU = IBM Corporation, CN = IBM Director on 10.12.200.214 1327360788187 error 18 at 0 depth lookup:self signed certificate OK netqf140:/etc/opt/ibm/icc/truststore # openssl verify -CApath /etc/opt/ibm/icc/truststore a533da62.0 a533da62.0: OK netqf140:/etc/opt/ibm/icc/truststore # Version-Release number of selected component (if applicable): Problem seen with OpenSSL 1.0.1. Old version : OpenSSL 0.9.8h Same issue is seen if steps are vica-versa. How reproducible: Create a x-509 certificate using 0.9.8 and store it in truststore, upgrade Openssl and verify the old certificate using verify command. Error no 18 is seen for self signed certificate. Steps to Reproduce: 1. Create a x509 certificate and save the hash file in truststore. 2. upgrade openssl to 1.0.1 3. try to verify certificate using verifycommand and specify -CApath as truststore path. Actual results: netqf140:/etc/opt/ibm/icc/truststore # /opt/ibm/icc/bin/openssl verify -CApath /etc/opt/ibm/icc/truststore a533da62.0 WARNING: can't open config file: /usr/local/ssl/openssl.cnf a533da62.0: C = US, ST = NC, L = RTP, O = Director Development, OU = IBM Corporation, CN = IBM Director on 10.12.200.214 1327360788187 error 18 at 0 depth lookup:self signed certificate OK Expected results: Error should not be reported during verify command. Additional info: Can you please help on this issue or provide a work-around which we can implement to solve the issue. Regards, Sushil __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2994] OpenSSL upgrade issue
On Tue Feb 19 14:36:26 2013, sushil_sha...@in.ibm.com wrote: Steps to Reproduce: 1. Create a x509 certificate and save the hash file in truststore. 2. upgrade openssl to 1.0.1 3. try to verify certificate using verifycommand and specify -CApath as truststore path. The hash calculation (use by -CApath) changed from OpenSSL 0.9.8 to 1.0.0 and later. The two are not compatible. So you need to recreate hash links using OpenSSL 1.0.0. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2994] OpenSSL upgrade issue
On 2013-02-19 at 15:37 +0100, Stephen Henson via RT wrote:
The hash calculation (use by -CApath) changed from OpenSSL 0.9.8 to 1.0.0 and
later. The two are not compatible. So you need to recreate hash links using
OpenSSL 1.0.0.
I have systems where I need to use both the old and the new versions of
OpenSSL, so I use the attached version of c_rehash, which might help
Sushil Sharma.
I've added a detached PGP signature too.
An example use-case: MacOS, where the system ships with 0.9.8 but I have
1.0.1e from MacPorts, for various work I do. I can't break system
tools, I also need my stuff to work. So this version detects if OpenSSL
is not version 0.something and if so, uses -subject_hash_old and
creates both sets of symlinks.
A second example use-case: centrally managed certificate stores on disk,
which need to be used on machines with varying versions of OpenSSL
available.
-Phil
#!/usr/bin/env perl
use warnings;
use strict;
# Perl c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
my $openssl;
## Define this if you have a default certs dir on your system and it's not the
## certs/ sub-dir of where OpenSSL is installed.
my $OVERRIDE_DEFAULT_CERT_DIR = undef;
#my $OVERRIDE_DEFAULT_CERT_DIR = '/etc/ssl/certs';
my $dir = /usr/local/openssl;
my $prefix = /usr/local;
if (exists $ENV{OPENSSL}) {
$openssl = $ENV{OPENSSL};
} else {
$openssl = openssl;
## MacOS ships with pre-1 OpenSSL, and putting other versions ahead
## in $PATH might break system tools; we explicitly want to grab the
## MacPorts variant, without requiring $OPENSSL to be set in environ.
if ( -x /opt/local/bin/openssl and $^O eq darwin ) {
$openssl = /opt/local/bin/openssl
}
$ENV{OPENSSL} = $openssl;
}
if ((not exists $ENV{'SSL_CERT_DIR'}) and (defined $OVERRIDE_DEFAULT_CERT_DIR))
{
$ENV{'SSL_CERT_DIR'} = $OVERRIDE_DEFAULT_CERT_DIR;
}
my $pwd;
eval require Cwd;
if (defined(Cwd::getcwd)) {
$pwd=Cwd::getcwd();
} else {
$pwd=`pwd`; chomp($pwd);
}
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix
delimiter?
$ENV{PATH} = $prefix/bin . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ); #
prefix our path
if(! -x $openssl) {
my $found = 0;
foreach (split /$path_delim/, $ENV{PATH}) {
if(-x $_/$openssl) {
$found = 1;
$openssl = $_/$openssl;
last;
}
}
if($found == 0) {
print STDERR c_rehash: rehashing skipped ('openssl' program
not available)\n;
exit 0;
}
}
my $have_openssl_1 = 0;
my $openssl_version;
if (`$openssl version` =~ /^OpenSSL\s+(\d\S+)/i) {
$openssl_version = $1;
unless ($openssl_version =~ /^0\./) {
$have_openssl_1 = 1;
}
}
my @dirlist;
if(@ARGV) {
@dirlist = @ARGV;
} elsif($ENV{SSL_CERT_DIR}) {
@dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
} else {
$dirlist[0] = $dir/certs;
}
if (-d $dirlist[0]) {
chdir $dirlist[0];
$openssl=$pwd/$openssl if (!-x $openssl);
chdir $pwd;
}
# Might vary per FS; but define before we call funcs which rely upon it.
my $SYMLINK_EXISTS = eval {symlink(,); 1};
foreach (@dirlist) {
if(-d $_ and -w $_) {
hash_dir($_);
}
}
sub hash_dir {
my %hashlist;
print Doing $_[0]\n;
chdir $_[0];
opendir(DIR, .);
my @flist = readdir(DIR);
# Delete any existing symbolic links
foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
if(-l $_) {
unlink $_;
}
}
closedir DIR;
FILE: foreach my $fname (grep {/\.pem$/} @flist) {
# Check to see if certificates and/or CRLs present.
my ($cert, $crl) = check_file($fname);
if(!$cert !$crl) {
print STDERR WARNING: $fname does not contain a
certificate or CRL: skipping\n;
next;
}
link_hash_cert($fname, \%hashlist) if($cert);
link_hash_crl($fname, \%hashlist) if($crl);
}
}
sub check_file {
my ($is_cert, $is_crl) = (0,0);
my $fname = $_[0];
open IN, $fname;
while(IN) {
if(/^-BEGIN (.*)-/) {
my $hdr = $1;
if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
$is_cert = 1;
last if($is_crl);
} elsif($hdr eq X509 CRL) {
$is_crl = 1;
last if($is_cert);
}
}
}
close IN;
return ($is_cert, $is_crl);
}
# Link a certificate to its
