[openssl-users] troubleshooting a puzzling issue
Thierry Parmentelat
thierry.parmentelat at inria.fr
Fri Jan 13 15:46:59 UTC 2017
Hey Richard
here’s what I see
# openssl help
openssl:Error: 'help' is an invalid command.
Standard commands
asn1parse ca ciphers cms
crl crl2pkcs7 dgst dh
dhparam dsa dsaparam ec
ecparam enc engine errstr
gendh gendsa genpkey genrsa
nseq ocsp passwd pkcs12
pkcs7 pkcs8 pkey pkeyparam
pkeyutl prime rand req
rsa rsautl s_client s_server
s_time sess_id smime speed
spkac ts verify version
x509
Message Digest commands (see the `dgst' command for more details)
md2 md4 md5 rmd160
sha sha1
Cipher commands (see the `enc' command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb base64 bf
bf-cbc bf-cfb bf-ecb bf-ofb
camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb
camellia-256-cbc camellia-256-ecb cast cast-cbc
cast5-cbc cast5-cfb cast5-ecb cast5-ofb
des des-cbc des-cfb des-ecb
des-ede des-ede-cbc des-ede-cfb des-ede-ofb
des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx idea
idea-cbc idea-cfb idea-ecb idea-ofb
rc2 rc2-40-cbc rc2-64-cbc rc2-cbc
rc2-cfb rc2-ecb rc2-ofb rc4
rc4-40 rc5 rc5-cbc rc5-cfb
rc5-ecb rc5-ofb seed seed-cbc
seed-cfb seed-ecb seed-ofb zlib
so I do see md5 in the list of digests
what else should I be looking at ?
is there a way to get some sort of error code or something that would at least hint at a direction..
thanks — Thierry
> On 13 Jan 2017, at 16:37, Richard Levitte <levitte at openssl.org> wrote:
>
> In message <41A36A7F-FF5D-4190-9178-E9FF11AFF712 at inria.fr> on Fri, 13 Jan 2017 11:28:40 +0100, Thierry Parmentelat <thierry.parmentelat at inria.fr> said:
>
> thierry.parmentelat> I am facing a problem that I have narrowed down to this:
> thierry.parmentelat>
> thierry.parmentelat> I have two certificates, one being signed by the other
> thierry.parmentelat> the attached code is a python code that uses M2Crypto to check for that fact
> thierry.parmentelat>
> thierry.parmentelat> and it turns out, on some boxes x509_verify() returns 1 as expected, while on some others I am getting -1
> thierry.parmentelat>
> thierry.parmentelat>
> thierry.parmentelat> ---
> thierry.parmentelat> I apologize that I am not able to write a pure C code that would reproduce the issue (I’m afraid that me trying to achieve that would just lead to more artificial problems than be actually helpful in any way :)
> thierry.parmentelat>
> thierry.parmentelat> the m2crypto guys tell me they are essentially just passing stuff along to openssl’s function
> thierry.parmentelat> X509_verify
> thierry.parmentelat> as described here
> thierry.parmentelat> https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html
>
> Considering both certs in the attached script use the signature
> algorithm md5WithRSAEncryption, you could get that kind of error with
> an OpenSSL installation where MD5 has been disabled. 'openssl help'
> will show you what's enabled, or 'openssl list -disabled' (with
> OpenSSL 1.1.0) to see what's disabled.
>
> There are other things that can give you a -1 as well...
>
> Cheers,
> Richard
>
> --
> Richard Levitte levitte at openssl.org
> OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-users
mailing list