[openssl-users] [openssl-dev] [Bug] apps: -CApath does not fail for non-directories (on Linux)

Jakob Bohm jb-openssl at wisemo.com
Wed Mar 1 18:05:27 UTC 2017

On 01/03/2017 18:44, Viktor Dukhovni wrote:
>> On Mar 1, 2017, at 11:46 AM, Steffen Nurpmeso <steffen at sdaoden.eu> wrote:
>> No, not that i know.  But this -- thanks -- lead me to the
>> following, which is the KISS that you want?
>> Ciao!
>> diff --git a/apps/apps.c b/apps/apps.c
>> index 216bc797d..3afbbaef2 100644
>> --- a/apps/apps.c
>> +++ b/apps/apps.c
>> @@ -1221,7 +1221,8 @@ X509_STORE *setup_verify(const char *CAfile, const char *CApath, int noCAfile, i
>>          if (lookup == NULL)
>>              goto end;
>>          if (CApath) {
>> -            if (!X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
>> +            if (!app_isdir(CApath) ||
>> +                    !X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM)) {
>>                  BIO_printf(bio_err, "Error loading directory %s\n", CApath);
>>                  goto end;
>>              }
Shouldn't this be in X509_LOOKUP_add_dir() itself?
> We may need to be careful.  With OpenSSL <= 1.0.2, one way to suppress the
> built-in default CApath was to set "-CApath" to a non-existent directory.
> Users may have scripts relying on this behaviour.  Now with 1.1.0 on some
> platforms OpenSSL already rejects non-existent directories, and we also
> provide a "-no-CAfile" option, but this change will extend the change to
> what is likely our most popular platform.
Since compatibility is important, there should be a list of values that
are equivalent to "-no-CApath" for 3rd party apps and scripts that haven't
implemented such an option.  As a minimum I would suggest: NULL (null 
pointer), "" (empty string), " " (single space) "X" (single letter uppercase
X with no path) "-" (single dash since stdin/stdout cannot be a path) and
anything that maps to the "/dev/null" device of the platform.
> So it will at least deserve a comment in the "NEWS"/"CHANGES" files.
Another case to consider are chroot daemons that call X509_LOOKUP_add_dir()
before doing a chroot() to the tree containing that directory.  Or maybe
that is why you want to only do the check in the openssl command line 
because it is known not to do that.  Anyway, users of such daemons can work
around it by having an empty or arbitrary directory with that name in the
old root, provided they are told to do so.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list