>From openssl 1.0.1-4ubuntu5.12 (I hope I traced the chain of functions
correctly):
apps/s_client.c:
--------------------------------------------------------------------------------
if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx)))
{
/* BIO_printf(bio_err,"error setting default verify
locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
--------------------------------------------------------------------------------
(CAfile and CApath are the command line option values (NULL if not given).)
ssl/ssl_lib.c:
--------------------------------------------------------------------------------
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
return(X509_STORE_load_locations(ctx->cert_store,CAfile,CApath));
}
--------------------------------------------------------------------------------
crypto/x509/x509_d2.c:
--------------------------------------------------------------------------------
int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
const char *path)
{
X509_LOOKUP *lookup;
if (file != NULL)
{
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_file());
if (lookup == NULL) return(0);
if (X509_LOOKUP_load_file(lookup,file,X509_FILETYPE_PEM) != 1)
return(0);
}
if (path != NULL)
{
lookup=X509_STORE_add_lookup(ctx,X509_LOOKUP_hash_dir());
if (lookup == NULL) return(0);
if (X509_LOOKUP_add_dir(lookup,path,X509_FILETYPE_PEM) != 1)
return(0);
}
if ((path == NULL) && (file == NULL))
return(0);
return(1);
}
--------------------------------------------------------------------------------
I think the problem is that (path == NULL) && (file == NULL) is treated as an
error. That causes the s_client code to abort before it calls
SSL_CTX_set_default_verify_paths. If (file != NULL) or (path != NULL) and no
other errors are produced, SSL_CTX_set_default_verify_paths will get called.
That's why we observe that "-CApath /nonsense" adds the default path.
Additionally, loading an arbitrary CA file will work too:
openssl s_client -quiet -CAfile /etc/ssl/certs/Visa_eCommerce_Root.pem -connect
google.com:443
It seems strange that default locations are loaded even when -CAfile or
-CApath is given, so in my opinion SSL_CTX_set_default_verify_paths
should only be called when (CAfile == NULL) && (CApath == NULL).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/396818
Title:
openssl s_client behaves strangely without CAPath
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
