OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different

John Marshall john.marshall at
Sat May 1 03:16:55 UTC 2010

I just spent quite a while trying to figure out what broke SSL
certificate verification in my irc client after taking some brave pills
and updating ports on my notebook.

It turns out that OpenSSL 1.0.0 hashes certificates differently to
earlier versions.  That meant that applications looking in my
/usr/local/openssl/certs directory couldn't find hashes for CA
certificates because the hash links had been created with OpenSSL 0.9.8.

From the CHANGES file in the root of the OpenSSL 1.0.0 distribution:

  "Enhance the hash format used for certificate directory links. The new
   form uses the canonical encoding (meaning equivalent names will work
   even if they aren't identical) and uses SHA1 instead of MD5. This form
   is incompatible with the older format and as a result c_rehash should
   be used to rebuild symbolic links.
   [Steve Henson]"

So, that's good to know but here's the really fun bit.  Just running
c_rehash won't fix it if you have openssl in the base system - because
it picks up /usr/bin/openssl (old version, old hashes).  The
/usr/local/bin/c_rehash script relies on an environment variable to
point it at anything other than the base openssl.  So, if I set
OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash,
I get the "new" hashes and stuff works again.

John Marshall
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :

More information about the freebsd-ports mailing list