[openssl-users] Problem with x509_verify_certificate

Ken OpenSSL at k-h.us
Mon Nov 19 06:15:58 UTC 2018


There are no stale intermediate certificates on my computer.

(This was a fresh install, on a new drive. I should have never said 
"upgrade".)

Also, strace shows that it is looking for the correct CA certificate 
(/var/lib/ca-certificates/openssl/4bfab552.0), and being told that it 
exists - but with the newer version of openssl, it never tries to open 
the CA certificate (the older version does).



------ Original Message ------
From: Viktor Dukhovni <openssl-users at dukhovni.org>
Sent: Sun, 18 Nov 2018 01:00:50 -0500
To: Openssl-users <openssl-users at openssl.org>

Subject: Re: [openssl-users] Problem with x509_verify_certificate
> Most likely there's a stale (expired) copy of the intermediate certificate in
> question in the trust store, but the peer (server) sent an unexpired version
> in the handshake.  The solution is to remove the stale intermediate from
> the trust store.
>
>> On Nov 17, 2018, at 8:57 PM, Ken <OpenSSL at k-h.us> wrote:
>>
>> I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), which uses x509_verify_certificate to check the validity of a certificate on a RDP server.
>>
>> Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips  26 Sep 2016") everything works great.
>>
>> But, when I upgrade to openSUSE Leap 15.0 (which uses openssl version "1.1.0i-fips  14 Aug 2018") I get an error when connecting to servers that use publicly-signed certificates:
>>
>> Certificate details:
>>          Subject: OU = Domain Control Validated, CN = owa.xxxxx.com
>>          Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU =http://certs.starfieldtech.com/repository/, CN = Starfield Secure Certificate Authority - G2
>>          Thumbprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
>> The above X.509 certificate could not be verified, possibly because you do not have
>> the CA certificate in your certificate store, or the certificate has expired.
>> Please look at the OpenSSL documentation on how to add a private CA to the store.
>> Do you trust the above certificate? (Y/T/N)
>>
>>
>> On both versions, strace shows is it checking for /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it never opens that file. (With openssl version "1.0.2j-fips  26 Sep 2016", it does open/read that file, which it seems like it work need to, in order to find out if it matches the certificate.)
>>
>>
>> Any idea what changed? (Or, better question, what needs to be changed to make this application work again?)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181118/e1bb65ed/attachment.html>


More information about the openssl-users mailing list