Package: openssl
Version: 1.0.0d-2
Severity: normal
Tags: d-i
When connecting with openssl to for example, the Freenode irc network, with the
following command:
openssl s_client -CApath /etc/ssl/certs/ -connect chat.freenode.net:7000
Verification of the certificate fails. However, a command such as:
openssl s_client -CAfile <( find /etc/ssl/certs/ -name '*.crt' -exec cat {} + )
-connect chat.freenode.net:7000
....*does* succeed. Inspection of openssl with strace reveals:
stat64("/usr/share/ca-certificates//b13cc6df.0", 0xbfc8badc) = -1 ENOENT (No
such file or directory)
The two consecutive slashes indicate an empty variable might be the cause, and
openssl
does not properly recurse through the certificate directories with the -CApath
option.
openssl then gives up with:
Verify return code: 20 (unable to get local issuer certificate)
This error affects an irc client like irssi as well, and a bug was filed
against irssi, which should
have been filed against openssl. Will notify irssi devs that this report was
filed.
Previous versions of Debian's openssl (0.9.8) were said not to exhibit the bug.
One other non-Debian (Gentoo) using irssi user reported they *could* connect
correctly using
openssl-1.0.0d.
The command using the -CAfile option above is an effective workaround.
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.38-3.slh.2-aptosid-686 (SMP w/1 CPU core; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl depends on:
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libssl1.0.0 1.0.0d-2 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20090814+nmu3 Common CA certificates
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
