certificate verification error OpenSSL 1.1.1

Dmitry Belyavsky beldmit at gmail.com
Mon Mar 2 09:06:32 UTC 2020


First, I recommend you not to hurry up :)

Second, the validation procedures have changed between 1.0.2 and 1.1.1,
1.1.1 checks more strictly.
E.g., a self-signed certificate without "CA:TRUE" will be treated as valid
CA cert in 1.0.2 but not valid in 1.1.1



On Mon, Mar 2, 2020 at 12:01 PM shiva kumar <shivakumar2696 at gmail.com>
wrote:

> Hi,
> Please help me, is this an expected behavior?
>
> On Mon, Mar 2, 2020 at 1:48 PM shiva kumar <shivakumar2696 at gmail.com>
> wrote:
>
>> when I tried to verify the the self signed certificate in OpenSSL 1.0.2
>> it is giving error 18 and gives OK as o/p, when I tried the same with
>> OpenSSL 1.1.1 there is slight change in the behavior it also gives the
>> same error, but instead of OK it gives different error as "*ca.crt:
>> verification failed*"  as follows.
>>
>>
>>
>> *in OpenSSL 1.0.2*
>>
>> openssl verify ./ca.crt
>>
>> *error 18* at 0 depth lookup:self signed certificate
>>
>> *OK*
>>
>>
>> *in OpenSSL 1.1.1 *
>>
>> openssl verify ./ca.crt
>>
>> *error 18* at 0 depth lookup:self signed certificate
>>
>> *error /tmp/1.1/conf/ssl.crt/ca.crt: verification failed*
>>
>> # echo $?
>>
>> 2
>>
>>
>> why I'm getting this error? is this an expected behavior in OpenSSL 1.1.1?
>>
>> Please answer my question.
>>
>>
>>
>>
>> --
>> *With Best Regards*
>> *Shivakumar S*
>>
>
>
> --
> *With Best Regards*
> *Shivakumar S*
>


-- 
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200302/a85334c4/attachment.html>


More information about the openssl-users mailing list