Home Comments

OpenSSL default certificate directory when IceSSL.UsePlatformCA property is used.

fish4lifefish4life Member Jeremy CookOrganization: HP IncProject: Remote Boost - remoting software
in Comments

I’m attempting to validate certificates on Ubuntu 20.04 using the IceSSL.UsePlatformCAs property using C++. It’s worth noting that I’m using a different distribution of openSSL 1.1.1f, rather than the system distribution.

Even when I copy the PEM certificate file into the directory that OpenSSL should be using by default (/usr/lib/ssl/certs on Ubuntu, as far as I can tell) and configure and run update-ca-certificates, it fails to validate the certificate. As far as I can tell, no errors are logged, even with a variety of Ice logging settings turned on.

However, when I set the SSL_CERT_DIR or SSL_CERT_FILE environment variables (i.e. running SSL_CERT_DIR=/usr/lib/ssl/certs my_program) with my PEM certificate file present in that directory or at that file, Ice successfully validates the cert.

My desired behavior is for Ice to use OpenSSL’s default certificate directory (or some other reasonable default) for certificate validation when I set UsePlatformCAs, without me needing to set any environment variables. How can I accomplish this? Is there extra openSSL init code I need to run? Would I need to use the system’s openSSL version instead?

If that isn’t possible, is there a way to find out where Ice is looking?

Comments

  • xdmxdm La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    Hi Jeremy,

    Was your OpenSSL distribution build to use /usr/lib/ssl/certs, or maybe your build is using another directory? what is the output of openssl version -a.

    The fact that it works when you set the environment variables seems to indicate that the default settings are not what you expect.

  • jnewportjnewport Member Jordan NewportOrganization: HP Inc.

    (This is actually my question--Jeremy just posted it for me while I waited for my account to be approved).

    openssl version -a fails with a symbol lookup error on one of the pieces of information it requests, likely because of how we built it. However, here's the output of openssl version with all the flags that do work (all of them except -o):

    ./openssl version -v -b -f -p -d -e
OpenSSL 1.1.1g  21 Apr 2020 (Library: OpenSSL 1.1.1f  31 Mar 2020)
built on: Mon Mar 22 11:37:17 2021 UTC
platform: debian-amd64
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-Juj39H/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"

    This is the same OPENSSLDIR that the distro's OpenSSL reports.

  • xdmxdm La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    did you install you CA certificate in /usr/share/ca-certificates and added it to /etc/ca-certificates.conf before using update-ca-certificates?
    `

  • xdmxdm La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    I just tested with the hello demo and this seems to work, here is what I did

    Copy the demo CA certificate to /usr/share/ca-certificates/zeroc/cacert.pem

    Add an entry in /etc/ca-certificates.conf with zeroc/cacert.pem

    Run update-ca-certificates

    in config.client remove IceSSL.CAs=cacert.pem and add IceSSL.UsePlatformCAs=1

    I tested it with OpenSSL 1.1.1f and Ubuntu 20.10

  • jnewportjnewport Member Jordan NewportOrganization: HP Inc.

    It does work with the system Ice and OpenSSL libraries; it seems to be ours that is the problem. I'm looking into other approaches now, thank you for your help.

  • xdmxdm La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    did you try installing your version in a different location, it can be a problem with having two versions that are not binary compatible install with the same prefix, this is mentioned in the OpenSSL docs https://wiki.openssl.org/index.php/Compilation_and_Installation#PREFIX_and_OPENSSLDIR

  • jnewportjnewport Member Jordan NewportOrganization: HP Inc.

    Yes, our prefix and openssldir are set, and we have a different prefix from the system installation.

  • xdmxdm La Coruña, SpainAdministrators, ZeroC Staff Jose Gutierrez de la ConchaOrganization: ZeroC, Inc.Project: Ice Developer ZeroC Staff

    According to the openssl output you posted before you are using the same as the system default for your builds.

    OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
  • jnewportjnewport Member Jordan NewportOrganization: HP Inc.

    That is true, but the function call X509_get_default_cert_dir_env (which OpenSSL is using) doesn't produce the correct value when compiled and run with our openssl version. It instead looks in the directory where it was compiled.

Sign In or Register to comment.