[openssl-dev] [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text
Stephen Henson via RT
rt at openssl.org
Wed Aug 5 11:32:18 UTC 2015
On Wed Aug 05 01:06:40 2015, matt at bogosian.net wrote:
> Hi Steve,
>
> I've attached three certificate collections: two that fail (where
> subject == issuer) and one that works around the problem (where
> subject != issuer).
OK thanks for the examples. The bug is that OpenSSL 1.0.2 is less strict about
what counts as a valid self signed certificate. Before 1.0.2 the certificate
had to have issuer and subject matching, if present AKID==SKID and
keyUsage (if present) had to include keyCertSign. For1.0.2 and later the
keyCertSign check is no longer present.
The attached patch should fix it. Let me know if it works for you.
A workaround (other than making subject != issuer) is to include SKID/AKID in
all certificates.
Regards, Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diffs.ss
Type: application/octet-stream
Size: 896 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150805/1a98168f/attachment.obj>
More information about the openssl-dev
mailing list