Hi, > As only new openssl versions have X509_STORE and the api still looks > incomplete / broken, the ssl.ca-file certificates need to be preloaded > into all SSL_CTX (previously we had a SSL_CTX for each SNI host, but > that didn't work well - that was the basic problem behind the security > bug); if X509_STORE would work i could set it dynamically like the > pem file. > > My guess is that the two private CAs you configured have a name > (Issuer/Subject) conflict; in that case openssl probably can't figure > out which one to use. that sounds reasonable, since I now figured out that this only happens with some pemfiles/ca-files. I have now examined the certificates in my ca-files, and some have the same Issuer, but they all have different Subjects.
But I've found a certificate in 2 ca-files, where: Issuer of certificate in ca-file1 == Subject of certificate in ca-file2 Subject of certificate in ca-file1 == Issuer of certificate in ca-file2 If I remove one of the certificates from one file, I can connect with SSL again. (But that's certainly no solution, since they are different certificates, and the validation probably would fail, then.) By the way, I get the following error from wget/OpenSSL when the SSL-connection fails: $ wget --no-check-certificate https://localhost --2013-11-14 14:29:50-- https://localhost/ Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:443... connected. OpenSSL: error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message size Unable to establish SSL connection. > This should probably be mentioned in debian/NEWS. Yes, definitely. But only mentioning this problem does not really help; there should be (a) some solution or (b) a warning, that this update maybe just broke the SSL-connections, and that you should immediately test it and maybe downgrade again. And I think this is a *major* problem, since (as it seems) it breaks SSL on all servers which use SNI and have two or more certificates from the same issuer (or with a certificate of the same issuer in the certificate-chain) -- which probably is *extremely* common. regards, Roland -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
