Why does openssl -trusted_first option behave differently from X509_V_FLAG_TRUSTED_FIRST environment variable?
I've a perl script that runs openssl to locally check certificates' validity. I don't want to just set an env var and walk away. This feels more like something is funny with my openssl installation or configuration
What is the system, versions…
I'm locally validating certificates from Letsencrypt. This is a 20.04/Focal system. Openssl is OpenSSL 1.1.1f 31 Mar 2020
and so I would expect it to happy validate certs, even with LE "cross-signing" them using the new ISRG root cert.
However, once the old X3 cert expired, these errors began…
openssl verify -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1.
error 2 at 2 depth lookup: unable to get issuer certificate.
error /path/redacted/cert.pem: verification failed
This felt strange. Some digging led me to wonder about the -trusted_first
option to openssl verify
. This is exactly what openssl would complain if trusted-first option is not enabled. Trying to explicitly enable that option however, has no affect:
openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /path/redacted/cert.pem: verification failed
Ok, fine. That option should be on by default since openssl 1.1.1 (that's this system, see above). So my explicitly including it should make no difference.
But eventually I tried specifying it as an env var. Wait, wat? Why does specifying this environment variable fix openssl's behavior to trust the first root cert it finds in the chain:
set X509_V_FLAG_TRUSTED_FIRST openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
…runs with exit value of zero.
zooming out
I don't understand why openssl doesn't Just Work(tm). This is a fully updated 20.04. The newer ISRG root cert is installed in /etc/ssl/certs/ISRG_Root_X1.pem
and update-ca-certificates
is happy:
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
I'm pretty sure that is not how you set an environment variable before running a command.
https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html
For example, I think you'd want something like
X509_V_FLAG_TRUSTED_FIRST=1 openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
instead.