I'm going to mark this bug as Won't Fix because we don't have a confirmation and I can't tell if this was actually merged and/or fixed in a new openssl version even though both seem likely.
** Changed in: openssl (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssl in Ubuntu. https://bugs.launchpad.net/bugs/335225 Title: "openssl verify -CAfile mutil_ca.pem site.cert" fails even if mutil_ca.pem contains the chain for site.cert Status in openssl package in Ubuntu: Won't Fix Bug description: Binary package hint: openssl Verification fails even if the CAfile contains the CA root certificates chain for the site cert. Steps: I have a CAfile.pem (all these files attached in testfiles.tgz) contains lots of CA root certificates. I run the following command $ openssl verify -CAfile CAfile.pem aol.cert aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal Services/CN=www.aol.com error 20 at 0 depth lookup:unable to get local issuer certificate $ openssl verify -CAfile CAfile.pem akamai.cert akamai.cert: OK Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, rename it to CAfile2.pem $ cat CAfile.pem aolca.pem > CAfile2.pem and run the following commands $ openssl verify -CAfile CAfile2.pem aol.cert aol.cert: OK $ openssl verify -CAfile CAfile2.pem akamai.cert akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net error 20 at 0 depth lookup:unable to get local issuer certificate The verification for aol.cert passes as expected, but failing to verify akamai.cert is unexpected. If I configure/compile openssl with "-d" option, openssl will fail to load the CAfile.pem $ openssl verify -CAfile CAfile.pem akamai.cert Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ElectricFence Exiting: mprotect() failed: Cannot allocate memory This issue happens in both 0.9.8j and stock 0.9.8g in Ubuntu 8.10 If you try to re-produce this on Ubuntu/Debian, be sure to rename /usr/lib/ssl/certs/ since openssl will try to load these CA root certificates as last resort.(or try it with strace to make sure openssl is not accessing them) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/335225/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp