[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Jayalakshmi bhat bhat.jayalakshmi at gmail.com
Mon Nov 16 06:52:48 UTC 2015


Hi Victor,

Thanks a lot for details explanation.

Our device acts as TLS/SSL client.  The device receives chain of
certificates as part of SSL handshake, when it is trying to get connected
to TLS/SSL server like sharepoint 365.

While validating the certificate chain from server, "*check_trust" *fails
with X509_V_ERR_CERT_UNTRUSTED.

This had been working fine with OpenSSL 1.0.1c.

When I checked the code execution, check_trust was not being called  in
OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.

That is why I wanted to know is it mandatory for the applications to
set X509_VERIFY_PARAM in X509_STORE_CTX

Regards
Jayalakshmi




On Mon, Nov 16, 2015 at 11:40 AM, Viktor Dukhovni <
openssl-users at dukhovni.org> wrote:

>
> > On Nov 16, 2015, at 12:14 AM, Jayalakshmi bhat <
> bhat.jayalakshmi at gmail.com> wrote:
> >
> > This is code snippet from OpenSSL 1.0.1c
> >
> > int X509_verify_cert(X509_STORE_CTX *ctx) {
> >
> >        ....................
> >        ....................
> >        ....................
> >      /* The chain extensions are OK: check trust */
> >
> >       if (param->trust > 0) ok = check_trust(ctx);
> > }
> >
> > I am talking about "if (param->trust > 0)" that seems to removed in
> OpenSSL 1.0.2d.
>
> Well this code was removed in 1.0.2d, rather the code in question was
> removed via
>
> commit d65b8b2162f33ac0d53dace588a0847ed827626c
> Author: Ben Laurie <ben at openssl.org>
> Date:   Fri Dec 14 12:53:53 2012 +0000
>
>     Backport OCSP fixes.
>
> More than 2 years before the first OpenSSL 1.0.2 release:
>
> commit 4ac0329582829f5378d8078c8d314ad37db87736
> Author: Matt Caswell <matt at openssl.org>
> Date:   Thu Jan 22 16:12:26 2015 +0000
>
>     Prepare for 1.0.2 release
>
>     Reviewed-by: Stephen Henson <steve at openssl.org>
>
> http://openssl.org/news/newslog.html
>
> Date    Item
> 09-Jul-2015     Security Advisory: one security fix
> 09-Jul-2015     OpenSSL 1.0.2d is now available, including bug and
> security fixes
> 09-Jul-2015     OpenSSL 1.0.1p is now available, including bug and
> security fixes
> 06-Jul-2015     OpenSSL 1.0.2d and 1.0.1p security releases due 9th July
> 2015
> 12-Jun-2015     New releases to resolve ABI compatibility problems:
> 12-Jun-2015     OpenSSL 1.0.2c is now available, including bug fixes
> 12-Jun-2015     OpenSSL 1.0.1o is now available, including bug fixes
> 11-Jun-2015     Security Advisory: five security fixes
> 11-Jun-2015     OpenSSL 1.0.2b is now available, including bug and
> security fixes
> 11-Jun-2015     OpenSSL 1.0.1n is now available, including bug and
> security fixes
> 11-Jun-2015     OpenSSL 1.0.0s is now available, including bug and
> security fixes
> 11-Jun-2015     OpenSSL 0.9.8zg is now available, including bug and
> security fixes
> 19-Mar-2015     Security Advisory: twelve security fixes
> 19-Mar-2015     OpenSSL 1.0.2a is now available, including bug and
> security fixes
> 19-Mar-2015     OpenSSL 1.0.1m is now available, including bug and
> security fixes
> 19-Mar-2015     OpenSSL 1.0.0r is now available, including bug and
> security fixes
> 19-Mar-2015     OpenSSL 0.9.8zf is now available, including bug and
> security fixes
> 22-Jan-2015     OpenSSL 1.0.2 is now available, a major release
>
> You should probably explain what you're doing, and in what way OpenSSL
> 1.0.2
> (all upstream versions) is not working the way you expect.
>
> --
>         Viktor.
>
>
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/b4900f30/attachment.html>


More information about the openssl-users mailing list