[openssl-users] test make_verify fails on brand new red hat enterprise 7 box

Richard Levitte levitte at openssl.org
Sun May 20 07:27:30 UTC 2018


You need to do this in the top directory first:

    make rehash

Cheers,
Richard

In message <CAOPjdVOmXSHuM5yfNnN_Vm85AysGDSj41jKGd5ZKAZ7jL75LDA at mail.gmail.com> on Fri, 18 May 2018 11:22:14 -0400, Philippe Anctil <philippe.anctil at gmail.com> said:

philippe.anctil> Hi,
philippe.anctil> 
philippe.anctil> I have been compiling openssl libraries on RHEL5 for
philippe.anctil> a while without issue. My build for 1.0.2k fails on a
philippe.anctil> new RHEL7 server. I have narrowed down the cause to
philippe.anctil> the make_verify test.
philippe.anctil> 
philippe.anctil> make verify_test # from test dir
philippe.anctil> 
philippe.anctil> The following command should have some OK's and some failures
philippe.anctil> There are definitly a few expired certificates
philippe.anctil> ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem
philippe.anctil> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024
philippe.anctil> bit)
philippe.anctil> error 20 at 0 depth lookup:unable to get local issuer certificate
philippe.anctil> ../certs/demo/dsa-ca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA
philippe.anctil> error 20 at 0 depth lookup:unable to get local issuer certificate
philippe.anctil> 140692788688576:error:0B06E06B:x509 certificate routines:X509_get_pubkey_parameters:unable
philippe.anctil> to find parameters in chain:x509_vfy.c:2108:
philippe.anctil> ../certs/demo/dsa-pca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
philippe.anctil> error 18 at 0 depth lookup:self signed certificate
philippe.anctil> C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
philippe.anctil> error 10 at 0 depth lookup:certificate has expired
philippe.anctil> OK
philippe.anctil> ../certs/demo/pca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024
philippe.anctil> bit)
philippe.anctil> error 18 at 0 depth lookup:self signed certificate
philippe.anctil> C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit)
philippe.anctil> error 10 at 0 depth lookup:certificate has expired
philippe.anctil> OK
philippe.anctil> make: *** [test_verify] Error 2
philippe.anctil> 
philippe.anctil> It seems to boil down to the following
philippe.anctil> 
philippe.anctil> OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo
philippe.anctil> ../certs/demo/ca-cert.pem
philippe.anctil> 
philippe.anctil> WARNING: can't open config file:
philippe.anctil> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024
philippe.anctil> bit)
philippe.anctil> error 20 at 0 depth lookup:unable to get local issuer certificate
philippe.anctil> 
philippe.anctil> echo $?
philippe.anctil> 
philippe.anctil> 2
philippe.anctil> 
philippe.anctil> Doing the same on my RHEL5 box.
philippe.anctil> 
philippe.anctil> OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo
philippe.anctil> ../certs/demo/ca-cert.pem
philippe.anctil> WARNING: can't open config file:
philippe.anctil> ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024
philippe.anctil> bit)
philippe.anctil> error 10 at 1 depth lookup:certificate has expired
philippe.anctil> C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit)
philippe.anctil> error 10 at 0 depth lookup:certificate has expired
philippe.anctil> OK
philippe.anctil> 
philippe.anctil> echo $?
philippe.anctil> 
philippe.anctil> 0
philippe.anctil> 
philippe.anctil> Any clue why openssl verify does not work on RHEL7?
philippe.anctil> ca-cert.pem is issued by pca-cert.pem (matching Authority Key Identifier). Both are under
philippe.anctil> ../certs/demo.
philippe.anctil> 
philippe.anctil> Thanks.
philippe.anctil> 
philippe.anctil> --
philippe.anctil> Philippe Anctil


More information about the openssl-users mailing list