<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body smarttemplateinserted="true">
<div id="smartTemplate4-template">I think that the output from
s_client (see attached) says that it passed, for both versions.<br>
<br>
Also, the output from s_client shows it looking for the correct CA
file on both versions (and shows that the file exists), but it
only opens the CA file under openssl version "1.0.2j-fips 26 Sep
2016".</div>
<br>
<br>
<br>
<div id="smartTemplate4-quoteHeader">------ Original Message ------<br>
From: Felipe Gasper <a class="moz-txt-link-rfc2396E" href="mailto:felipe@felipegasper.com"><felipe@felipegasper.com></a><br>
Sent: Sat, 17 Nov 2018 22:23:58 -0500<br>
To: Openssl-users <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users@openssl.org"><openssl-users@openssl.org></a><br>
<br>
Subject: Re: [openssl-users] Problem with x509_verify_certificate<br>
</div>
<blockquote type="cite"
cite="mid:29E3BAA3-EC0A-4D31-A8CB-E05639C8B81E@felipegasper.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Maybe the set of stores root certificates changed
with the update?</div>
<div dir="ltr"><br>
</div>
<div dir="ltr">Try openssl s_client to debug it?</div>
<div dir="ltr"><br>
On Nov 17, 2018, at 8:57 PM, Ken <<a
href="mailto:OpenSSL@k-h.us" moz-do-not-send="true">OpenSSL@k-h.us</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
I use an application, FreeRDP (<a
class="moz-txt-link-freetext"
href="https://github.com/FreeRDP/FreeRDP"
moz-do-not-send="true">https://github.com/FreeRDP/FreeRDP</a>),
which uses x509_verify_certificate to check the validity of a
certificate on a RDP server.<br>
<br>
Under openSUSE Leap 42.3 (which uses openssl version
"1.0.2j-fips 26 Sep 2016") everything works great.<br>
<br>
But, when I upgrade to openSUSE Leap 15.0 (which uses openssl
version "1.1.0i-fips 14 Aug 2018") I get an error when
connecting to servers that use publicly-signed certificates:<br>
<br>
<font face="Courier New, Courier, monospace">Certificate
details:<br>
Subject: OU = Domain Control Validated, CN = <a
href="http://owa.xxxxx.com" moz-do-not-send="true">owa.xxxxx.com</a><br>
Issuer: C = US, ST = Arizona, L = Scottsdale, O =
"Starfield Technologies, Inc.", OU = <a
class="moz-txt-link-freetext"
href="http://certs.starfieldtech.com/repository/"
moz-do-not-send="true">http://certs.starfieldtech.com/repository/</a>,
CN = Starfield Secure Certificate Authority - G2<br>
Thumbprint:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx<br>
The above X.509 certificate could not be verified, possibly
because you do not have<br>
the CA certificate in your certificate store, or the
certificate has expired.<br>
Please look at the OpenSSL documentation on how to add a
private CA to the store.<br>
Do you trust the above certificate? (Y/T/N) <br>
</font><br>
<br>
On both versions, strace shows is it checking for
/var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and
is the correct CA) - but with openssl version "1.1.0i-fips 14
Aug 2018", it never opens that file. (With openssl version
"1.0.2j-fips 26 Sep 2016", it does open/read that file, which
it seems like it work need to, in order to find out if it
matches the certificate.)<br>
<br>
<br>
Any idea what changed? (Or, better question, what needs to be
changed to make this application work again?)<br>
<br>
<br>
Thanks,<br>
Ken<br>
</div>
</blockquote>
<blockquote type="cite">
<div dir="ltr"><span>-- </span><br>
<span>openssl-users mailing list</span><br>
<span>To unsubscribe: <a
href="https://mta.openssl.org/mailman/listinfo/openssl-users"
moz-do-not-send="true">https://mta.openssl.org/mailman/listinfo/openssl-users</a></span><br>
</div>
</blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
</blockquote>
<br>
</body>
</html>