[openssl-users] test make_verify fails on brand new red hat enterprise 7 box

Philippe Anctil philippe.anctil at gmail.com
Fri May 18 15:22:14 UTC 2018 

Hi,

I have been compiling openssl libraries on RHEL5 for a while without issue.
My build for 1.0.2k fails on a new RHEL7 server. I have narrowed down the
cause to the make_verify test.



make verify_test # from test dir

The following command should have some OK's and some failures
There are definitly a few expired certificates
../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo
../certs/demo/*.pem
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd,
CN = Test CA (1024 bit)
error 20 at 0 depth lookup:unable to get local issuer certificate
../certs/demo/dsa-ca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty
Ltd, CN = CA
error 20 at 0 depth lookup:unable to get local issuer certificate
140692788688576:error:0B06E06B:x509 certificate
routines:X509_get_pubkey_parameters:unable to find parameters in
chain:x509_vfy.c:2108:
../certs/demo/dsa-pca.pem: C = AU, ST = Some-State, O = Internet Widgits
Pty Ltd, CN = PCA
error 18 at 0 depth lookup:self signed certificate
C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
error 10 at 0 depth lookup:certificate has expired
OK
../certs/demo/pca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd,
CN = Test PCA (1024 bit)
error 18 at 0 depth lookup:self signed certificate
C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
error 10 at 0 depth lookup:certificate has expired
OK
make: *** [test_verify] Error 2



It seems to boil down to the following



OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath
../certs/demo ../certs/demo/ca-cert.pem

WARNING: can't open config file:
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd,
CN = Test CA (1024 bit)
error 20 at 0 depth lookup:unable to get local issuer certificate

echo $?

2



Doing the same on my RHEL5 box.



OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath
../certs/demo ../certs/demo/ca-cert.pem
WARNING: can't open config file:
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd,
CN = Test PCA (1024 bit)
error 10 at 1 depth lookup:certificate has expired
C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
error 10 at 0 depth lookup:certificate has expired
OK

echo $?

0



Any clue why openssl verify does not work on RHEL7?
ca-cert.pem is issued by pca-cert.pem (matching Authority Key Identifier).
Both are under ../certs/demo.

Thanks.


-- 
Philippe Anctil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180518/77f2622b/attachment-0001.html>

More information about the openssl-users mailing list