[openssl-users] Problem with x509_verify_certificate

Felipe Gasper felipe at felipegasper.com
Sun Nov 18 03:23:58 UTC 2018


Maybe the set of stores root certificates changed with the update?

Try openssl s_client to debug it?

> On Nov 17, 2018, at 8:57 PM, Ken <OpenSSL at k-h.us> wrote:
> 
> I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), which uses x509_verify_certificate to check the validity of a certificate on a RDP server.
> 
> Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips  26 Sep 2016") everything works great.
> 
> But, when I upgrade to openSUSE Leap 15.0 (which uses openssl version "1.1.0i-fips  14 Aug 2018") I get an error when connecting to servers that use publicly-signed certificates:
> 
> Certificate details:
>         Subject: OU = Domain Control Validated, CN = owa.xxxxx.com
>         Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
>         Thumbprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
> The above X.509 certificate could not be verified, possibly because you do not have
> the CA certificate in your certificate store, or the certificate has expired.
> Please look at the OpenSSL documentation on how to add a private CA to the store.
> Do you trust the above certificate? (Y/T/N) 
> 
> 
> On both versions, strace shows is it checking for /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it never opens that file. (With openssl version "1.0.2j-fips  26 Sep 2016", it does open/read that file, which it seems like it work need to, in order to find out if it matches the certificate.)
> 
> 
> Any idea what changed? (Or, better question, what needs to be changed to make this application work again?)
> 
> 
> Thanks,
> Ken
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181117/6499d52f/attachment.html>


More information about the openssl-users mailing list