Why does openssl -trusted_first option behave differently from X509_V_FLAG_TRUSTED_FIRST environment variable?

openssl letsencrypt

I've a perl script that runs openssl to locally check certificates' validity. I don't want to just set an env var and walk away. This feels more like something is funny with my openssl installation or configuration

What is the system, versions…

I'm locally validating certificates from Letsencrypt. This is a 20.04/Focal system. Openssl is OpenSSL 1.1.1f 31 Mar 2020 and so I would expect it to happy validate certs, even with LE "cross-signing" them using the new ISRG root cert.

However, once the old X3 cert expired, these errors began…

openssl verify -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1. 
error 2 at 2 depth lookup: unable to get issuer certificate. 
error /path/redacted/cert.pem: verification failed

This felt strange. Some digging led me to wonder about the -trusted_first option to openssl verify. This is exactly what openssl would complain if trusted-first option is not enabled. Trying to explicitly enable that option however, has no affect:

openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
error /path/redacted/cert.pem: verification failed

Ok, fine. That option should be on by default since openssl 1.1.1 (that's this system, see above). So my explicitly including it should make no difference.

But eventually I tried specifying it as an env var. Wait, wat? Why does specifying this environment variable fix openssl's behavior to trust the first root cert it finds in the chain:

set X509_V_FLAG_TRUSTED_FIRST openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem

…runs with exit value of zero.

zooming out

I don't understand why openssl doesn't Just Work(tm). This is a fully updated 20.04. The newer ISRG root cert is installed in /etc/ssl/certs/ISRG_Root_X1.pem and update-ca-certificates is happy:

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

I'm pretty sure that is not how you set an environment variable before running a command.

https://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html

For example, I think you'd want something like

X509_V_FLAG_TRUSTED_FIRST=1 openssl verify -trusted_first -verbose -purpose sslserver -CAfile /path/redacted/chain.pem /path/redacted/cert.pem

instead.

Related

How can I input Unicode characters in Kate and Konsole on Kubuntu 18.04?
How to create calculator with bash?
How to Fully Backup and Restore gpg Keys, Signatures and Settings
Using JQ and curl to get list of all ID's that have a certain type
make problem: No rule to make target /usr/lib/x86_64-linux-gnu/libpcl_common.so
Intel WiFi AX200 - MSI x570 ACE
How to disable clipboard redirection for my users from their local systems in xrdp
Updating Azure Data Studio
How do I install Sublime Text 2/3?I tried but I am getting error
on interface of ubuntu login [closed]
Wifi icon disappear, no internet iwlwifi errors
I need help connecting to my school network using a CA Certificate