[openssl-dev] [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text

Matt Bogosian via RT rt at openssl.org
Wed Aug 5 01:06:41 UTC 2015 

Hi Steve,

I've attached three certificate collections: two that fail (where subject == issuer) and one that works around the problem (where subject != issuer). In my personal testing (on OS X), OpenSSL 0.9.8zd (installed by the OS) works on all three collections, whereas OpenSSL 1.0.2d (installed via MacPorts) fails on the fail*.tar.gz ones. You can see the problem with the following:

% tar xpvf ~/Desktop/fail1.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
> -CAfile tls/ca.pem -tls1 &
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works
depth=1 /O=Boot2Docker
verify return:1
depth=0 /O=Boot2Docker
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # fails
depth=0 O = Boot2Docker
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Boot2Docker
verify error:num=21:unable to verify the first certificate
verify return:1
...
% tar xpvf ~/Desktop/fail2.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
> -CAfile tls/ca.pem -tls1 &
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works
depth=1 /O=b2d
verify return:1
depth=0 /O=b2d
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # fails
depth=0 O = b2d
verify error:num=18:self signed certificate
verify return:1
depth=0 O = b2d
verify error:num=21:unable to verify the first certificate
verify return:1
...
% tar xpvf ~/Desktop/succ.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
> -CAfile tls/ca.pem -tls1 &
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works
depth=1 /O=Boot2DockerCA
verify return:1
depth=0 /O=Boot2Docker
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works
depth=1 O = Boot2DockerCA
verify return:1
depth=0 O = Boot2Docker
verify return:1
...


    —Matt


On Aug 4, 2015, at 17:05, Stephen Henson via RT <rt at openssl.org> wrote:

> On Tue Aug 04 18:25:25 2015, matt at bogosian.net wrote:
>> 
>> Please let me know if you have any questions, and I'd be happy to
>> elaborate.
>> 
> 
> Can you attach examples of the two certificates (EE and CA) that exhibit this
> problem?
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org



-------------- next part --------------
A non-text attachment was scrubbed...
Name: fail1.tar.gz
Type: application/x-gzip
Size: 6231 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150805/a674c401/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fail2.tar.gz
Type: application/x-gzip
Size: 6037 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150805/a674c401/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: succ.tar.gz
Type: application/x-gzip
Size: 6177 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150805/a674c401/attachment-0005.bin>
-------------- next part --------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150805/a674c401/attachment-0001.sig>

More information about the openssl-dev mailing list