OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different
mandree at FreeBSD.org
Mon May 3 18:04:21 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Am 01.05.2010 05:16, schrieb John Marshall:
> I just spent quite a while trying to figure out what broke SSL
> certificate verification in my irc client after taking some brave pills
> and updating ports on my notebook.
> It turns out that OpenSSL 1.0.0 hashes certificates differently to
> earlier versions. That meant that applications looking in my
> /usr/local/openssl/certs directory couldn't find hashes for CA
> certificates because the hash links had been created with OpenSSL 0.9.8.
> From the CHANGES file in the root of the OpenSSL 1.0.0 distribution:
> "Enhance the hash format used for certificate directory links. The new
> form uses the canonical encoding (meaning equivalent names will work
> even if they aren't identical) and uses SHA1 instead of MD5. This form
> is incompatible with the older format and as a result c_rehash should
> be used to rebuild symbolic links.
> [Steve Henson]"
> So, that's good to know but here's the really fun bit. Just running
> c_rehash won't fix it if you have openssl in the base system - because
> it picks up /usr/bin/openssl (old version, old hashes). The
> /usr/local/bin/c_rehash script relies on an environment variable to
> point it at anything other than the base openssl. So, if I set
> OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash,
> I get the "new" hashes and stuff works again.
(cc'ing Dirk who maintains the OpenSSL port - consider taking the patch
I reported this - along with proposed fixes - to OpenSSL a couple of
days ago, however there does not seem to be a 1.0.0a yet.
(username and password "guest")
Deep link to patch:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
-----END PGP SIGNATURE-----
More information about the freebsd-ports