OpenSSL 1.0.0 Gotcha - Certificate Hashes are Different

Matthias Andree mandree at FreeBSD.org
Mon May 3 18:04:21 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 01.05.2010 05:16, schrieb John Marshall:
> I just spent quite a while trying to figure out what broke SSL
> certificate verification in my irc client after taking some brave pills
> and updating ports on my notebook.
> 
> It turns out that OpenSSL 1.0.0 hashes certificates differently to
> earlier versions.  That meant that applications looking in my
> /usr/local/openssl/certs directory couldn't find hashes for CA
> certificates because the hash links had been created with OpenSSL 0.9.8.
> 
> From the CHANGES file in the root of the OpenSSL 1.0.0 distribution:
> 
>   "Enhance the hash format used for certificate directory links. The new
>    form uses the canonical encoding (meaning equivalent names will work
>    even if they aren't identical) and uses SHA1 instead of MD5. This form
>    is incompatible with the older format and as a result c_rehash should
>    be used to rebuild symbolic links.
>    [Steve Henson]"
> 
> So, that's good to know but here's the really fun bit.  Just running
> c_rehash won't fix it if you have openssl in the base system - because
> it picks up /usr/bin/openssl (old version, old hashes).  The
> /usr/local/bin/c_rehash script relies on an environment variable to
> point it at anything other than the base openssl.  So, if I set
> OPENSSL=/usr/local/bin/openssl in the environment and then run c_rehash,
> I get the "new" hashes and stuff works again.
> 

(cc'ing Dirk who maintains the OpenSSL port - consider taking the patch
linked below)

I reported this - along with proposed fixes - to OpenSSL a couple of
days ago, however there does not seem to be a 1.0.0a yet.

(username and password "guest")

Report: <http://rt.openssl.org/Ticket/Display.html?id=2234>

Deep link to patch:
<http://rt.openssl.org/Ticket/Attachment/26716/13060/openssl-1.0.0-fix-c_rehash.patch>


HTH
Matthias
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)

iEYEARECAAYFAkvfEAkACgkQvmGDOQUufZWnwQCgllN15Dzm2E5gQcTJOx4xlBvw
2+oAniPTLC32IBTBAAaC9+noMZHybGPQ
=U4UG
-----END PGP SIGNATURE-----

More information about the freebsd-ports mailing list