[openssl-users] Problem with x509_verify_certificate

Sun Nov 18 05:45:05 UTC 2018

I think that the output from s_client (see attached) says that it 
passed, for both versions.

Also, the output from s_client shows it looking for the correct CA file 
on both versions (and shows that the file exists), but it only opens the 
CA file under openssl version "1.0.2j-fips  26 Sep 2016".

------ Original Message ------
From: Felipe Gasper <felipe at felipegasper.com>
Sent: Sat, 17 Nov 2018 22:23:58 -0500
To: Openssl-users <openssl-users at openssl.org>

Subject: Re: [openssl-users] Problem with x509_verify_certificate
> Maybe the set of stores root certificates changed with the update?
>
> Try openssl s_client to debug it?
>
> On Nov 17, 2018, at 8:57 PM, Ken <OpenSSL at k-h.us 
> <mailto:OpenSSL at k-h.us>> wrote:
>
>> I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), 
>> which uses x509_verify_certificate to check the validity of a 
>> certificate on a RDP server.
>>
>> Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips  26 
>> Sep 2016") everything works great.
>>
>> But, when I upgrade to openSUSE Leap 15.0 (which uses openssl version 
>> "1.1.0i-fips  14 Aug 2018") I get an error when connecting to servers 
>> that use publicly-signed certificates:
>>
>> Certificate details:
>>         Subject: OU = Domain Control Validated, CN = owa.xxxxx.com 
>> <http://owa.xxxxx.com>
>>         Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield 
>> Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, 
>> CN = Starfield Secure Certificate Authority - G2
>>         Thumbprint: 
>> xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
>> The above X.509 certificate could not be verified, possibly because 
>> you do not have
>> the CA certificate in your certificate store, or the certificate has 
>> expired.
>> Please look at the OpenSSL documentation on how to add a private CA 
>> to the store.
>> Do you trust the above certificate? (Y/T/N)
>>
>>
>> On both versions, strace shows is it checking for 
>> /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the 
>> correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it 
>> never opens that file. (With openssl version "1.0.2j-fips  26 Sep 
>> 2016", it does open/read that file, which it seems like it work need 
>> to, in order to find out if it matches the certificate.)
>>
>>
>> Any idea what changed? (Or, better question, what needs to be changed 
>> to make this application work again?)
>>
>>
>> Thanks,
>> Ken
>> -- 
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181117/cc20c613/attachment.html>
-------------- next part --------------
openssl s_client -connect owa.xxxxx.com:3389 < /dev/null 
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = owa.xxxxx.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=owa.xxxxx.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGNDCCBRygAwIBAgIIXFXbiPD1+PYwDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUw
IwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypo
.
.
.
vpY77wmUtuPlIBBA0vmoLkqm3kLq31Ax9O83BgLCnHUHBfq3UuJSOIjZb9GDzc1L
1r1jePMxklnJFxFMS+D5gJmSNMoOnaop1EtH+8WAsnR16D15mNdtTHEzH106oJaW
KTNa8smgpv+uweIrV68wsctfTK4jMdZXGdIKFy+8sA7T5aRmme0EbFl8Skzc408K
QT7Tk+QwmXU=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=owa.xxxxx.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3419 bytes and written 475 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 941A0000A0B1EEA13483B0FEB706B589A9F209BE3358C3A995C4ED1ED59265EE
    Session-ID-ctx: 
    Master-Key: A08B359932ACFD5B74136EBB8493F324A70C4CE59031174867ECA8FF03D1A34A641E8217823F5CDDCDC5075E6DA37BA7
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1542518377
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE
-------------- next part --------------
openssl s_client -connect owa.xxxxx.com:3389 < /dev/null 
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = owa.xxxxx.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=owa.xxxxx.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGNDCCBRygAwIBAgIIXFXbiPD1+PYwDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUw
IwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypo
.
.
.
vpY77wmUtuPlIBBA0vmoLkqm3kLq31Ax9O83BgLCnHUHBfq3UuJSOIjZb9GDzc1L
1r1jePMxklnJFxFMS+D5gJmSNMoOnaop1EtH+8WAsnR16D15mNdtTHEzH106oJaW
KTNa8smgpv+uweIrV68wsctfTK4jMdZXGdIKFy+8sA7T5aRmme0EbFl8Skzc408K
QT7Tk+QwmXU=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=owa.xxxxx.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3423 bytes and written 358 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: F43500001034795A9A20EA524CE9866A31A3869DB075988A7B545593FE557EEB
    Session-ID-ctx: 
    Master-Key: 1E07E2347032579D218950FB4DE3A15B7A13831405D44157B948D1237C22F6B8B3AE9204352E980765D5476EAF8220E3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1542518370
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE