OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different
in [Ports]
|
From: John Marshall on 30 Apr 2010 23:16 I just spent quite a while trying to figure out what broke SSL certificate verification in my irc client after taking some brave pills and updating ports on my notebook. It turns out that OpenSSL 1.0.0 hashes certificates differently to earlier versions. That meant that applications looking in my /usr/local/openssl/certs directory couldn't find hashes for CA certificates because the hash links had been created with OpenSSL 0.9.8. From the CHANGES file in the root of the OpenSSL 1.0.0 distribution: "Enhance the hash format used for certificate directory links. The new form uses the canonical encoding (meaning equivalent names will work even if they aren't identical) and uses SHA1 instead of MD5. This form is incompatible with the older format and as a result c_rehash should be used to rebuild symbolic links. [Steve Henson]" So, that's good to know but here's the really fun bit. Just running c_rehash won't fix it if you have openssl in the base system - because it picks up /usr/bin/openssl (old version, old hashes). The /usr/local/bin/c_rehash script relies on an environment variable to point it at anything other than the base openssl. So, if I set OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash, I get the "new" hashes and stuff works again. -- John Marshall
From: Matthias Andree on 3 May 2010 14:03 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 01.05.2010 05:16, schrieb John Marshall: > I just spent quite a while trying to figure out what broke SSL > certificate verification in my irc client after taking some brave pills > and updating ports on my notebook. > > It turns out that OpenSSL 1.0.0 hashes certificates differently to > earlier versions. That meant that applications looking in my > /usr/local/openssl/certs directory couldn't find hashes for CA > certificates because the hash links had been created with OpenSSL 0.9.8. > > From the CHANGES file in the root of the OpenSSL 1.0.0 distribution: > > "Enhance the hash format used for certificate directory links. The new > form uses the canonical encoding (meaning equivalent names will work > even if they aren't identical) and uses SHA1 instead of MD5. This form > is incompatible with the older format and as a result c_rehash should > be used to rebuild symbolic links. > [Steve Henson]" > > So, that's good to know but here's the really fun bit. Just running > c_rehash won't fix it if you have openssl in the base system - because > it picks up /usr/bin/openssl (old version, old hashes). The > /usr/local/bin/c_rehash script relies on an environment variable to > point it at anything other than the base openssl. So, if I set > OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash, > I get the "new" hashes and stuff works again. > (cc'ing Dirk who maintains the OpenSSL port - consider taking the patch linked below) I reported this - along with proposed fixes - to OpenSSL a couple of days ago, however there does not seem to be a 1.0.0a yet. (username and password "guest") Report: <http://rt.openssl.org/Ticket/Display.html?id=2234> Deep link to patch: <http://rt.openssl.org/Ticket/Attachment/26716/13060/openssl-1.0.0-fix-c_rehash.patch> HTH Matthias -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAkvfEAkACgkQvmGDOQUufZWnwQCgllN15Dzm2E5gQcTJOx4xlBvw 2+oAniPTLC32IBTBAAaC9+noMZHybGPQ =U4UG -----END PGP SIGNATURE----- _______________________________________________ freebsd-ports(a)freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscribe(a)freebsd.org"
From: John Marshall on 5 May 2010 21:03 On Mon, 03 May 2010, 20:03 +0200, Matthias Andree wrote: > > Report: <http://rt.openssl.org/Ticket/Display.html?id=2234> > > Deep link to patch: > <http://rt.openssl.org/Ticket/Attachment/26716/13060/openssl-1.0.0-fix-c_rehash.patch> Thank you. security/openssl 1.0.0_1 includes this c_rehash patch and works for me. -- John Marshall
|
Pages: 1 Prev: Investment Financing ! Next: freebsd.org mailing list memberships reminder |