[Bug 1207484] New: openssl-3: regression regarding certificate path availability
https://bugzilla.suse.com/show_bug.cgi?id=1207484 Bug ID: 1207484 Summary: openssl-3: regression regarding certificate path availability Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: pmonrealgonzalez@suse.com Reporter: amajer@suse.com QA Contact: security-team@suse.de CC: jsikes@suse.com, meissner@suse.com Found By: --- Blocker: --- While testing why nodejs18 unit tests were failing in openssl-1_1 vs. openssl-3, I found that the errors are a result of unavailable directory /var/lib/ca-certificates/openssl If this directory does not exist, many unit tests are failing with errors similar to 'Error: error:16000069:STORE routines::unregistered scheme' ~/rpmbuild/BUILD/node-v18.13.0> ./node18 test/sequential/test-tls-connect.js node:assert:750 throw err; ^ AssertionError [ERR_ASSERTION]: The input did not match the regular expression /no cipher match/i. Input: 'Error: error:16000069:STORE routines::unregistered scheme' at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v18.13.0/test/sequential/test-tls-connect.js:53:10) at Module._compile (node:internal/modules/cjs/loader:1218:14) at Module._extensions..js (node:internal/modules/cjs/loader:1272:10) at Module.load (node:internal/modules/cjs/loader:1081:32) at Module._load (node:internal/modules/cjs/loader:922:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12) at node:internal/main/run_main_module:23:47 { generatedMessage: true, code: 'ERR_ASSERTION', actual: Error: error:16000069:STORE routines::unregistered scheme at configSecureContext (node:internal/tls/secure-context:230:11) at Object.createSecureContext (node:_tls_common:117:3) at Object.connect (node:_tls_wrap:1636:48) at /home/abuild/rpmbuild/BUILD/node-v18.13.0/test/sequential/test-tls-connect.js:54:9 at getActual (node:assert:757:5) at Function.throws (node:assert:903:24) at Object.<anonymous> (/home/abuild/rpmbuild/BUILD/node-v18.13.0/test/sequential/test-tls-connect.js:53:10) at Module._compile (node:internal/modules/cjs/loader:1218:14) at Module._extensions..js (node:internal/modules/cjs/loader:1272:10) at Module.load (node:internal/modules/cjs/loader:1081:32) { opensslErrorStack: [ 'error:0A0000B9:SSL routines::no cipher match', 'error:80000002:system library::No such file or directory' ], library: 'STORE routines', reason: 'unregistered scheme', code: 'ERR_OSSL_OSSL_STORE_UNREGISTERED_SCHEME' }, expected: /no cipher match/i, operator: 'throws' } Node.js v18.13.0 If I simply create this directory, the unit tests pass as openssl-3 doesn't generate errors. One possible solution is to ship empty directory in the main library package. Alternative is to track down why OpenSSL is throwing these weird errors when this path is simply missing. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c1 --- Comment #1 from Marcus Meissner <meissner@suse.com> --- buildrequires: ca-certificates should help? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c2 --- Comment #2 from Adam Majer <amajer@suse.com> --- trying to reproduce this with /usr/bin/openssl openssl s_client -verify_return_error -tls1_3 -servername suse.com -connect 18.66.97.25:443 the diff is, CONNECTED(00000003) depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate 4077CB7C247F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file 4077CB7C247F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/var/lib/ca-certificates/openssl) 4077CB7C247F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file 4077CB7C247F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/var/lib/ca-certificates/openssl) 4077CB7C247F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file 4077CB7C247F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/var/lib/ca-certificates/openssl) 4077CB7C247F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file 4077CB7C247F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/var/lib/ca-certificates/openssl) 4077CB7C247F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file 4077CB7C247F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:267:calling stat(/var/lib/ca-certificates/openssl) 4077CB7C247F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: --- vs. CONNECTED(00000003) depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate 40C7CEF4E17F0000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1889: --- So, these are the extra error messages caused by the missing directory structure that are throwing these openssl errors. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c3 --- Comment #3 from Adam Majer <amajer@suse.com> --- (In reply to Marcus Meissner from comment #1)
buildrequires: ca-certificates
should help?
Yes, but it should not be necessary. I will add it in the meantime. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c4 --- Comment #4 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Yes, both of these should be shipped by ca-certificates: /var/lib/ca-certificates/ca-bundle.pem /var/lib/ca-certificates/openssl Probably, the easiest solution would be to require the package from nodejs. Adding it as a dependency of openssl might not be possible as I think its not in ring0. Let me ask Dominique. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c5 --- Comment #5 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- OK, I checked with Dominique and we cannot add a Requires: ca-certificates to openssl-3 since the package is not in ring0. But we can add a BuildRequires for nodejs to fix the regression tests and possibly a Requires if this is also needed at runtime. Would that be fine? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c6 --- Comment #6 from Marcus Meissner <meissner@suse.com> --- if openssl-3 really accesses this directory, we can also add %dir /var/lib/ca-certificates/ %dir /var/lib/ca-certificates/openssl to openssl-3. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c7 --- Comment #7 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- (In reply to Marcus Meissner from comment #6)
if openssl-3 really accesses this directory, we can also add
%dir /var/lib/ca-certificates/ %dir /var/lib/ca-certificates/openssl
to openssl-3.
Yes, I can also add that to openssl-3. X509_CERT_DIR and X509_CERT_FILE are defined in [0] and used in these functions: * X509_get_default_cert_dir() * X509_get_default_cert_file() Note that, we patched them in [1] in the context of bsc#1022271. What to do with X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem" then? [0] https://github.com/openssl/openssl/blob/openssl-3.0.7/include/internal/crypt... [1] https://build.opensuse.org/package/view_file/security:tls/openssl-3/openssl-... -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c8 --- Comment #8 from Marcus Meissner <meissner@suse.com> --- hmm, this file is owned by ca-certificates, cannot be shared between packages -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c9 --- Comment #9 from Adam Majer <amajer@suse.com> --- (In reply to Marcus Meissner from comment #6)
if openssl-3 really accesses this directory, we can also add
%dir /var/lib/ca-certificates/ %dir /var/lib/ca-certificates/openssl
to openssl-3.
Yes, just adding these directories, even empty, solves all the problems with these additional errors. I think this would be least intrusive change. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c10 --- Comment #10 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- Yes, only having the /var/lib/ca-certificates/openssl directory in place is required for the nodejs regression tests to pass. I'm adding it now. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1207484 https://bugzilla.suse.com/show_bug.cgi?id=1207484#c11 Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |otto.hollmann@suse.com, | |pmonrealgonzalez@suse.com Resolution|--- |FIXED --- Comment #11 from Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> --- I forgot to add the bug tracking number to the changelog. I just added it and submitted to the devel project. It will be available in the next Factory submission. I'm closing the bug as its fixed. Thanks everyone involved. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com