Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 450986 - should /etc/pki/tls/certs/ca-bundle.crt not be the default one used?
Summary: should /etc/pki/tls/certs/ca-bundle.crt not be the default one used?
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: openssl
Version: 4.6
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On: 418771
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-12 03:56 UTC by Fabio Olive Leite
Modified: 2009-10-08 15:32 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-08 15:32:45 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Fabio Olive Leite 2008-06-12 03:56:57 UTC
Cloning to RHEL-4 to attach to an Issue Tracker ticket.

+++ This bug was initially created as a clone of Bug #418771 +++

Description of problem:
it seems that when I use "openssl s_client -connect ..." I need to explicitly
specify "-CAfile /etc/pki/tls/certs/ca-bundle.crt"

I was expecting that one to be used by default, but maybe my expectations are
just wrong

Version-Release number of selected component (if applicable):
openssl-0.9.8b-17.fc8

How reproducible:
always

Steps to Reproduce:
1. use claws-mail
2. get a new certificate from your email server
3. be completely paranoid that a cert that claims to be signed by verisign 
fails
verification with "unable to get local issuer certificate"
4. debug
  
Actual results:
it turns out that
  openssl s_client -connect mail.kolumbus.fi:993
will fail with the error above, while
  openssl s_client -CAfile /etc/pki/tls/certs/ca-bundle.crt -connect
mail.kolumbus.fi:993
tells me "Verify return code: 0 (ok)"

Expected results:
I would expect not to have to manually specify the system-wide default
ca-bundle, and it seems claws-email has the same expectations.

Additional info:

-- Additional comment from tmraz@redhat.com on 2007-12-12 14:09 EST --
The openssl s_client case is a bug in openssl - note that openssl s_client
-CApath whatevernonexistent -connect .... will work fine.

But I have looked at the claws-mail sources and this bug doesn't apply there 
and
it apparently does some certificate chain verification on its own so this bug
should be cloned for claws-mail if you want to have it fixed there too.


-- Additional comment from tmraz@redhat.com on 2007-12-13 12:21 EST --
s_client/s_server will be fixed now. But claws-mail has to be fixed on its 
own.


-- Additional comment from pcfe@redhat.com on 2008-05-16 11:26 EST --
confirm this is fixed in openssl-0.9.8g-6.fc9.i686

Comment 1 RHEL Product and Program Management 2008-10-31 16:47:07 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 2 Tomas Mraz 2009-10-08 15:32:45 UTC
This is fixed in Red Hat Enterprise Linux 5 Update 4 openssl package.


Note You need to log in before you can comment on or make changes to this bug.