<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body smarttemplateinserted="true">
I use an application, FreeRDP (<a class="moz-txt-link-freetext" href="https://github.com/FreeRDP/FreeRDP">https://github.com/FreeRDP/FreeRDP</a>),
which uses x509_verify_certificate to check the validity of a
certificate on a RDP server.<br>
<br>
Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips
26 Sep 2016") everything works great.<br>
<br>
But, when I upgrade to openSUSE Leap 15.0 (which uses openssl
version "1.1.0i-fips 14 Aug 2018") I get an error when connecting
to servers that use publicly-signed certificates:<br>
<br>
<font face="Courier New, Courier, monospace">Certificate details:<br>
Subject: OU = Domain Control Validated, CN = owa.xxxxx.com<br>
Issuer: C = US, ST = Arizona, L = Scottsdale, O =
"Starfield Technologies, Inc.", OU =
<a class="moz-txt-link-freetext" href="http://certs.starfieldtech.com/repository/">http://certs.starfieldtech.com/repository/</a>, CN = Starfield Secure
Certificate Authority - G2<br>
Thumbprint:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx<br>
The above X.509 certificate could not be verified, possibly
because you do not have<br>
the CA certificate in your certificate store, or the certificate
has expired.<br>
Please look at the OpenSSL documentation on how to add a private
CA to the store.<br>
Do you trust the above certificate? (Y/T/N) <br>
</font><br>
<br>
On both versions, strace shows is it checking for
/var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is
the correct CA) - but with openssl version "1.1.0i-fips 14 Aug
2018", it never opens that file. (With openssl version "1.0.2j-fips
26 Sep 2016", it does open/read that file, which it seems like it
work need to, in order to find out if it matches the certificate.)<br>
<br>
<br>
Any idea what changed? (Or, better question, what needs to be
changed to make this application work again?)<br>
<br>
<br>
Thanks,<br>
Ken<br>
</body>
</html>