On Mon, Mar 16, 2009 at 04:08:04PM +0100, Arnaud Launay wrote:
> > Make sure that you don't have duplicate certificate files in
> > /etc/ssl/certs, that differ only in the file name, run
> > c_rehash(1) to cleanup any stale symlinks.
>
> Already did. Seems either the gentoo certificate pack is wrong,
> either there is something else (which I don't believe). Only
> thing, I suppose there's no way to ask openssl to check the certs
> for dups, *and* tells which ones, if any, are dups ?
>
> $ cp -L /etc/ssl/certs/* /tmp/certs
> $ cd /tmp/certs && rm *.0
> $ md5sum * | sort | wc -l
> 143
> $ md5sum * | sort | uniq | wc -l
Instead of "md5sum *", try the more robust:
for cert in *; do openssl x509 -in $cert -noout -sha1 -fingerprint; done |
sort | uniq -c | sort -nr | head -1
to eliminate "cosmetic" cert file differences. Do any of the files
contain multiple certs? What version of OpenSSL are you using (many
Linux distibutions use an early patchlevel with backported fixes, so it
is not always obvious what this means in terms of the actual code).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
