[openssl-users] (Probably) Silly Application Programming Question

Karl Denninger karl at denninger.net
Mon Jan 11 03:53:03 UTC 2016


On 1/10/2016 21:43, Viktor Dukhovni wrote:
> On Sun, Jan 10, 2016 at 08:20:41PM -0600, Karl Denninger wrote:
>
>> I found the problem... for an unexplained reason either the certificate
>> or key were corrupt; I have added checking to make sure they're
>> coherent, as apparently OpenSSL is perfectly happy to load a bogus cert
>> (or key) without throwing an error, but won't present them.
> You forgot the validate the loaded cert/key combination via:
>
>     SSL_CTX_check_private_key(ctx);
>
> which should be called after loading the key and certificate.
>
Yep.  Fixed that, and then found out that the old recipes for walking
through the subjectAltName data is no longer workable (apparently the
published "book" work on that went rooting around in internal data
structures that one should not be playing with)..... there's a
resolution for that too though (just had to dig around a bit), so it's
all good now.

Thanks...

-- 
Karl Denninger
karl at denninger.net <mailto:karl at denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160110/f59a3346/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2996 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160110/f59a3346/attachment.bin>


More information about the openssl-users mailing list