[openssl-users] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Viktor Dukhovni openssl-users at dukhovni.org
Thu Dec 28 15:57:12 UTC 2017



> On Dec 28, 2017, at 4:54 AM, Manuel Wagesreither <ManWag at FastMail.FM> wrote:
> 
> Thanks for your feedback. Unfortunately I cannot include the certificate raw data as it may contain sensitive information. Also, I'm unable to replace them with self-made certificates as I don't know the parameters the original ones were created with in the first place. The original creators are inaccessible at the moment. If the problem persists, I will reproduce the problem with test certificates (whose raw data I can publish) in a few weeks.

You should be able to publish edited output of:

    openssl crl2pkcs7 -nocrl -certfile chain.pem |
	openssl pkcs7 -print_certs -text -noout

With any sensitive values hand-replaced with "censored-NNN"
where the "NNN" part uniquely corresponds to each original
value (same values get same "NNN", distinct values get
distinct "NNN").

The "chain.pem" file should have the leaf certificate first,
then its issuer, then the issuer of that certificate, ...
up to the trust anchor.  Please also make sure that the
chain in question passes (with OpenSSL 1.1.0 per your report)
is reported verified with:

    $ openssl verify -no-CApath -no-CAfile \
	-trusted root.pem -untrusted chain.pem \
	chain.pem

Where "root.pem" contains just the last certificate
from the chain.pem file.  Post the output of that
command for 1.1.0.  Please also report similar output
for 1.0.2, with the command modified to:

    $ capath=$(mktemp -d empty.XXXXXX)
    $ cafile=root.pem
    $ openssl verify -CApath $capath -CAfile root.pem \
	-trusted root.pem -untrusted chain.pem \
	chain.pem

Again, if anything in the output is sensitive, censor the
values, with "censoredNNN" matching the replacements in
the certificate chain.

-- 
	Viktor.



More information about the openssl-users mailing list