test make_verify fails on brand new red hat enterprise 7 box

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

test make_verify fails on brand new red hat enterprise 7 box

Philippe Anctil
Hi,

I have been compiling openssl libraries on RHEL5 for a while without issue. My build for 1.0.2k fails on a new RHEL7 server. I have narrowed down the cause to the make_verify test. 



make verify_test # from test dir

The following command should have some OK's and some failures
There are definitly a few expired certificates
../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
error 20 at 0 depth lookup:unable to get local issuer certificate
../certs/demo/dsa-ca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
error 20 at 0 depth lookup:unable to get local issuer certificate
140692788688576:error:0B06E06B:x509 certificate routines:X509_get_pubkey_parameters:unable to find parameters in chain:x509_vfy.c:2108:
../certs/demo/dsa-pca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
error 18 at 0 depth lookup:self signed certificate
C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
error 10 at 0 depth lookup:certificate has expired
OK
../certs/demo/pca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
error 18 at 0 depth lookup:self signed certificate
C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
error 10 at 0 depth lookup:certificate has expired
OK
make: *** [test_verify] Error 2



It seems to boil down to the following



OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo ../certs/demo/ca-cert.pem

WARNING: can't open config file:
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
error 20 at 0 depth lookup:unable to get local issuer certificate

echo $?

2



Doing the same on my RHEL5 box.



OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo ../certs/demo/ca-cert.pem
WARNING: can't open config file:
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
error 10 at 1 depth lookup:certificate has expired
C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
error 10 at 0 depth lookup:certificate has expired
OK

echo $?

0



Any clue why openssl verify does not work on RHEL7?
ca-cert.pem is issued by pca-cert.pem (matching Authority Key Identifier). Both are under ../certs/demo.

Thanks.


--
Philippe Anctil

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: test make_verify fails on brand new red hat enterprise 7 box

Viktor Dukhovni


> On May 18, 2018, at 11:22 AM, Philippe Anctil <[hidden email]> wrote:
>
> Hi,
>
> I have been compiling openssl libraries on RHEL5 for a while without issue. My build for 1.0.2k fails on a new RHEL7 server. I have narrowed down the cause to the make_verify test.

All tests pass when I build 1.0.2p.  There is no "verify_test" in any version
of 1.0.2 I can find, including 1.0.2k.  Perhaps that test is part of Redhat
specific patches to OpenSSL.  You'll need to solve this with whoever authored
that test.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: test make_verify fails on brand new red hat enterprise 7 box

Philippe Anctil
I am compiling from openssl.org source.

pwd

.../openssl-1.0.2k/test

grep -A 4 'test_verify:' Makefile

test_verify: ../apps/openssl$(EXE_EXT)
        @echo "The following command should have some OK's and some failures"
        @echo "There are definitly a few expired certificates"
        ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem






2018-05-18 11:53 GMT-04:00 Viktor Dukhovni <[hidden email]>:


> On May 18, 2018, at 11:22 AM, Philippe Anctil <[hidden email]> wrote:
>
> Hi,
>
> I have been compiling openssl libraries on RHEL5 for a while without issue. My build for 1.0.2k fails on a new RHEL7 server. I have narrowed down the cause to the make_verify test.

All tests pass when I build 1.0.2p.  There is no "verify_test" in any version
of 1.0.2 I can find, including 1.0.2k.  Perhaps that test is part of Redhat
specific patches to OpenSSL.  You'll need to solve this with whoever authored
that test.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
Philippe Anctil

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: test make_verify fails on brand new red hat enterprise 7 box

Matt Caswell-2
In reply to this post by Philippe Anctil


On 18/05/18 16:22, Philippe Anctil wrote:
> Hi,
>
> I have been compiling openssl libraries on RHEL5 for a while without
> issue. My build for 1.0.2k fails on a new RHEL7 server. I have narrowed
> down the cause to the make_verify test. 
>
>
>
> make verify_test # from test dir

I think you meant "make test_verify"

> It seems to boil down to the following
>
>
>
> OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath
> ../certs/demo ../certs/demo/ca-cert.pem
>
> WARNING: can't open config file:
> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty
> Ltd, CN = Test CA (1024 bit)
> error 20 at 0 depth lookup:unable to get local issuer certificate
>
> echo $?
>
> 2

So what does your certs/demo directory look like? Do you have the
necessary symbolic links (created during "make" somewhere I think). Are
all permissions and file sizes as expected? Mine looks like this:

$ ls -l
total 16
lrwxrwxrwx 1 matt matt   11 May 18 17:10 3f77a2b5.0 -> ca-cert.pem
-rw-r--r-- 1 matt matt 1953 May 18 16:47 ca-cert.pem
lrwxrwxrwx 1 matt matt   10 May 18 17:10 cbdbd8bc.0 -> dsa-ca.pem
lrwxrwxrwx 1 matt matt   11 May 18 17:10 de4fa23b.0 -> dsa-pca.pem
-rw-r--r-- 1 matt matt 2264 May 18 16:47 dsa-ca.pem
-rw-r--r-- 1 matt matt 2674 May 18 16:47 dsa-pca.pem
lrwxrwxrwx 1 matt matt   12 May 18 17:10 e83ef475.0 -> pca-cert.pem
-rw-r--r-- 1 matt matt 1953 May 18 16:47 pca-cert.pem


Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: test make_verify fails on brand new red hat enterprise 7 box

Philippe Anctil

So what does your certs/demo directory look like? Do you have the
necessary symbolic links (created during "make" somewhere I think).


Links are missing. 

The problem has something to do with the default path to openssl.conf. In my case it is based on the build prefix I used.
If the path does not exist, make rehash will create links happily.
If the dir exists but my build account does not have access permissions, make rehash is unhappy and refuses to create links.

rm rehash.time
make rehash

Doing certs/demo
140097379800768:error:0200100D:system library:fopen:Permission denied:bss_file.c:175:fopen('/usr/local/.../openssl/ssl/openssl.cnf','rb')
140097379800768:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:184:
140097379800768:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:203:
140367544841920:error:0200100D:system library:fopen:Permission denied:bss_file.c:175:fopen('/usr/local/.../openssl/ssl/openssl.cnf','rb')
140367544841920:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:184:
140367544841920:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:203:
WARNING: Skipping duplicate certificate dsa-ca.pem
140697328998080:error:0200100D:system library:fopen:Permission denied:bss_file.c:175:fopen('/usr/local/.../openssl/ssl/openssl.cnf','rb')
140697328998080:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:184:
140697328998080:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:203:
WARNING: Skipping duplicate certificate dsa-pca.pem
139717812614848:error:0200100D:system library:fopen:Permission denied:bss_file.c:175:fopen('/usr/local/.../openssl/ssl/openssl.cnf','rb')
139717812614848:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:184:
139717812614848:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:203:
WARNING: Skipping duplicate certificate pca-cert.pem



I don't know why openssl handles both errors in a different way. In general the build does not care about the inaccessible config. That behavior suits me.

Maybe the build should detect the problem with make rehash. Or force an OPENSSL_CONF value that will make it happy. Here's the workaround I applied to my build script.

...
rm rehash.time
make OPENSSL_CONF= rehash

make test


Problem nailed. Thank you for your help! 

 
--
Philippe Anctil

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: test make_verify fails on brand new red hat enterprise 7 box

Richard Levitte - VMS Whacker-2
In reply to this post by Philippe Anctil
You need to do this in the top directory first:

    make rehash

Cheers,
Richard

In message <[hidden email]> on Fri, 18 May 2018 11:22:14 -0400, Philippe Anctil <[hidden email]> said:

philippe.anctil> Hi,
philippe.anctil>
philippe.anctil> I have been compiling openssl libraries on RHEL5 for
philippe.anctil> a while without issue. My build for 1.0.2k fails on a
philippe.anctil> new RHEL7 server. I have narrowed down the cause to
philippe.anctil> the make_verify test.
philippe.anctil>
philippe.anctil> make verify_test # from test dir
philippe.anctil>
philippe.anctil> The following command should have some OK's and some failures
philippe.anctil> There are definitly a few expired certificates
philippe.anctil> ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem
philippe.anctil> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024
philippe.anctil> bit)
philippe.anctil> error 20 at 0 depth lookup:unable to get local issuer certificate
philippe.anctil> ../certs/demo/dsa-ca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
philippe.anctil> error 20 at 0 depth lookup:unable to get local issuer certificate
philippe.anctil> 140692788688576:error:0B06E06B:x509 certificate routines:X509_get_pubkey_parameters:unable
philippe.anctil> to find parameters in chain:x509_vfy.c:2108:
philippe.anctil> ../certs/demo/dsa-pca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
philippe.anctil> error 18 at 0 depth lookup:self signed certificate
philippe.anctil> C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
philippe.anctil> error 10 at 0 depth lookup:certificate has expired
philippe.anctil> OK
philippe.anctil> ../certs/demo/pca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024
philippe.anctil> bit)
philippe.anctil> error 18 at 0 depth lookup:self signed certificate
philippe.anctil> C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
philippe.anctil> error 10 at 0 depth lookup:certificate has expired
philippe.anctil> OK
philippe.anctil> make: *** [test_verify] Error 2
philippe.anctil>
philippe.anctil> It seems to boil down to the following
philippe.anctil>
philippe.anctil> OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo
philippe.anctil> ../certs/demo/ca-cert.pem
philippe.anctil>
philippe.anctil> WARNING: can't open config file:
philippe.anctil> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024
philippe.anctil> bit)
philippe.anctil> error 20 at 0 depth lookup:unable to get local issuer certificate
philippe.anctil>
philippe.anctil> echo $?
philippe.anctil>
philippe.anctil> 2
philippe.anctil>
philippe.anctil> Doing the same on my RHEL5 box.
philippe.anctil>
philippe.anctil> OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo
philippe.anctil> ../certs/demo/ca-cert.pem
philippe.anctil> WARNING: can't open config file:
philippe.anctil> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024
philippe.anctil> bit)
philippe.anctil> error 10 at 1 depth lookup:certificate has expired
philippe.anctil> C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
philippe.anctil> error 10 at 0 depth lookup:certificate has expired
philippe.anctil> OK
philippe.anctil>
philippe.anctil> echo $?
philippe.anctil>
philippe.anctil> 0
philippe.anctil>
philippe.anctil> Any clue why openssl verify does not work on RHEL7?
philippe.anctil> ca-cert.pem is issued by pca-cert.pem (matching Authority Key Identifier). Both are under
philippe.anctil> ../certs/demo.
philippe.anctil>
philippe.anctil> Thanks.
philippe.anctil>
philippe.anctil> --
philippe.anctil> Philippe Anctil
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users