[openssl-users] Problem with x509_verify_certificate

Ken OpenSSL at k-h.us
Mon Nov 19 06:03:23 UTC 2018


"c_rehash" did not make any difference.



------ Original Message ------
From: Viktor Dukhovni <openssl-users at dukhovni.org>
Sent: Sun, 18 Nov 2018 00:54:46 -0500
To: Openssl-users <openssl-users at openssl.org>

Subject: Re: [openssl-users] Problem with x509_verify_certificate
> I would suggest running "c_rehash" on the directory, making sure it is
> the c_rehash for OpenSSL 1.1.x, and not some other version.
>
>> On Nov 17, 2018, at 8:57 PM, Ken <OpenSSL at k-h.us> wrote:
>>
>> On both versions, strace shows is it checking for /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it never opens that file. (With openssl version "1.0.2j-fips  26 Sep 2016", it does open/read that file, which it seems like it work need to, in order to find out if it matches the certificate.)
>>
>> Any idea what changed? (Or, better question, what needs to be changed to make this application work again?)
> The way that DN hashes are computed changed from 0.9.8 to 1.0.0, but IIRC then
> remained stable, so I would not expect a change between 1.0.2 and 1.1.0.
>
> It is difficult to offer more help without copies of the certificates in question.
>
> The main change between 1.1.0 and 1.0.2 is that "trusted_first" is now
> the default behaviour and cannot be changed.  This means that intermediate
> certificates supplied with the peer chain are used only when no issuer is
> present in the trust store.  This can lead to a different chain being
> computed in some cases.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181118/8fa73499/attachment.html>


More information about the openssl-users mailing list