<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">Maybe the set of stores root certificates changed with the update?</div><div dir="ltr"><br></div><div dir="ltr">Try openssl s_client to debug it?</div><div dir="ltr"><br>On Nov 17, 2018, at 8:57 PM, Ken <<a href="mailto:OpenSSL@k-h.us">OpenSSL@k-h.us</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
I use an application, FreeRDP (<a class="moz-txt-link-freetext" href="https://github.com/FreeRDP/FreeRDP">https://github.com/FreeRDP/FreeRDP</a>),
which uses x509_verify_certificate to check the validity of a
certificate on a RDP server.<br>
<br>
Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips
26 Sep 2016") everything works great.<br>
<br>
But, when I upgrade to openSUSE Leap 15.0 (which uses openssl
version "1.1.0i-fips 14 Aug 2018") I get an error when connecting
to servers that use publicly-signed certificates:<br>
<br>
<font face="Courier New, Courier, monospace">Certificate details:<br>
Subject: OU = Domain Control Validated, CN = <a href="http://owa.xxxxx.com">owa.xxxxx.com</a><br>
Issuer: C = US, ST = Arizona, L = Scottsdale, O =
"Starfield Technologies, Inc.", OU =
<a class="moz-txt-link-freetext" href="http://certs.starfieldtech.com/repository/">http://certs.starfieldtech.com/repository/</a>, CN = Starfield Secure
Certificate Authority - G2<br>
Thumbprint:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx<br>
The above X.509 certificate could not be verified, possibly
because you do not have<br>
the CA certificate in your certificate store, or the certificate
has expired.<br>
Please look at the OpenSSL documentation on how to add a private
CA to the store.<br>
Do you trust the above certificate? (Y/T/N) <br>
</font><br>
<br>
On both versions, strace shows is it checking for
/var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is
the correct CA) - but with openssl version "1.1.0i-fips 14 Aug
2018", it never opens that file. (With openssl version "1.0.2j-fips
26 Sep 2016", it does open/read that file, which it seems like it
work need to, in order to find out if it matches the certificate.)<br>
<br>
<br>
Any idea what changed? (Or, better question, what needs to be
changed to make this application work again?)<br>
<br>
<br>
Thanks,<br>
Ken<br>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>-- </span><br><span>openssl-users mailing list</span><br><span>To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users">https://mta.openssl.org/mailman/listinfo/openssl-users</a></span><br></div></blockquote></body></html>