[openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Sands, Daniel dnsands at sandia.gov
Fri Dec 22 19:31:35 UTC 2017


On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote:
> Unfortunately this didn't work either. The end result is the same;
> OpenSSL still emits a "certificate signature failure" with an error
> depth of 0.
> 
In light of what Salz said about verification, could we assume that the
openssl verify program that succeeded is based on the older library?

It could be that your CA cert is missing an extension that OSSL now
checks for, such as (spitballing here) that the certificate is valid
for certificate signing.

You could check by substituting other certificates in your program to
see if the code itself works, and also closely examine your own
certificates to make sure all the requirements are met.


More information about the openssl-users mailing list