[openssl-dev] Cannot verify self-signed certificates?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Tue Dec 15 20:04:45 UTC 2015 

It appears that openssl verify refuses to deal with self-signed
certificates? Is it the expected/intended behavior? I can easily imagine
circumstances when a user would be happy with a “partial” validation, i.e.
with validating as much as practically possible – like consistency,
correctness of the options/extensions encoding, expiration dates, etc. So if
this is intended, I’d like to ask to relax this, or to at least make it
possible (via an appropriate option/flag) to validate self-signed certs as
far as possible.

Here’s what I get:

$ openssl verify -verbose -purpose sslclient -purpose smimesign test2.pem

test2.pem: CN = test2, C = US

error 20 at 0 depth lookup:unable to get local issuer certificate

$ openssl x509 -noout -text -inform PEM -in test2.pem

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1 (0x1)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: CN=test2, C=US

        Validity

            Not Before: Dec 15 19:56:58 2015 GMT

            Not After : Dec 14 19:56:58 2016 GMT

        Subject: CN=test2, C=US

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:b1:9a:8f:d8:79:41:f0:8b:26:ab:f8:3c:b3:a0:

                    af:e6:a9:31:1c:de:78:5a:18:08:d4:31:9d:9f:4a:

                    6e:53:9c:4c:e2:cf:13:09:13:71:12:62:37:b4:08:

                    88:33:ab:09:55:35:25:85:e0:eb:84:4a:8a:24:60:

                    66:9c:17:df:d1:f9:e2:67:e7:c1:6b:9f:33:83:82:

                    56:ac:98:33:0b:c5:42:bc:91:61:85:4e:42:25:4a:

                    92:fb:d9:cb:55:6d:94:7d:6b:12:46:18:24:d1:0e:

                    eb:42:17:31:4c:cd:a7:6c:9c:35:c4:32:6a:06:00:

                    f2:c2:48:aa:d0:f0:31:5d:53:29:97:49:4b:73:a4:

                    a6:8d:36:58:28:1b:65:ad:f7:99:10:17:b0:2c:5b:

                    2e:44:1c:17:2e:50:9c:80:17:ff:74:1c:d0:3c:6c:

                    58:61:f6:3b:df:5e:1d:5b:df:93:7d:9f:a4:bc:d8:

                    89:0d:db:a4:4e:7d:ac:da:6d:c5:ff:25:19:63:c6:

                    6e:23:81:f2:83:ce:bc:2d:fe:7a:77:98:49:2b:0f:

                    d7:de:b1:88:90:b7:08:09:7c:6c:a3:8e:96:60:12:

                    8e:3d:79:c6:70:44:46:a1:7b:4a:26:03:c7:20:f3:

                    d3:4c:b8:76:38:d1:13:7a:3c:d7:3b:b4:88:d0:83:

                    d7:b1

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints: critical

                CA:FALSE

            X509v3 Key Usage: critical

                Digital Signature, Non Repudiation

            X509v3 Extended Key Usage:

                E-mail Protection, TLS Web Client Authentication

            X509v3 Subject Alternative Name:

                email:tihs at house.com

    Signature Algorithm: sha256WithRSAEncryption

         06:c0:93:cf:03:3e:1e:3b:c3:41:70:9f:3e:e7:12:a9:ca:af:

         77:17:c9:b1:46:4d:31:13:7d:45:91:64:6b:c1:ae:32:90:5b:

         c6:12:06:75:32:e8:c3:c4:8e:29:12:08:ab:34:5d:ce:70:80:

         29:fe:12:3d:9e:32:e6:73:32:39:09:07:2c:62:88:45:c8:cc:

         9d:97:e7:26:4c:63:ca:3f:3a:79:4c:48:04:05:50:3f:b9:4a:

         45:c6:64:8f:e5:1d:44:4d:9e:6a:41:03:d7:58:d1:a3:21:44:

         01:a5:db:62:fa:9a:fd:9c:02:22:63:8b:20:a4:a1:d8:35:b6:

         85:f9:6f:a5:7d:2c:75:f2:17:f3:d2:8e:41:57:3d:55:ef:6f:

         01:06:a7:26:d1:e3:8e:cd:b1:6e:7f:3a:57:52:76:15:f7:38:

         6d:cb:0c:ae:4e:dd:a1:fa:e6:a1:8c:09:56:b3:40:e3:0c:db:

         ad:60:ca:1d:f8:d6:d8:d5:f6:57:62:41:2b:cc:67:10:34:93:

         cb:0b:53:b9:57:fb:a0:46:46:18:a6:3e:d7:23:2b:82:ca:92:

         db:66:82:ee:c3:94:b5:4c:2a:3b:f1:9d:d1:4b:09:89:a3:2f:

         2e:18:c9:83:64:b7:6b:62:c5:42:4d:76:f5:62:6b:33:50:8c:

         e5:73:82:bf

$ cat test2.pem

-----BEGIN CERTIFICATE-----

MIIDEjCCAfqgAwIBAgIBATANBgkqhkiG9w0BAQsFADAdMQ4wDAYDVQQDDAV0ZXN0

MjELMAkGA1UEBhMCVVMwHhcNMTUxMjE1MTk1NjU4WhcNMTYxMjE0MTk1NjU4WjAd

MQ4wDAYDVQQDDAV0ZXN0MjELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUA

A4IBDwAwggEKAoIBAQCxmo/YeUHwiyar+DyzoK/mqTEc3nhaGAjUMZ2fSm5TnEzi

zxMJE3ESYje0CIgzqwlVNSWF4OuESookYGacF9/R+eJn58FrnzODglasmDMLxUK8

kWGFTkIlSpL72ctVbZR9axJGGCTRDutCFzFMzadsnDXEMmoGAPLCSKrQ8DFdUymX

SUtzpKaNNlgoG2Wt95kQF7AsWy5EHBcuUJyAF/90HNA8bFhh9jvfXh1b35N9n6S8

2IkN26ROfazabcX/JRljxm4jgfKDzrwt/np3mEkrD9fesYiQtwgJfGyjjpZgEo49

ecZwREahe0omA8cg89NMuHY40RN6PNc7tIjQg9exAgMBAAGjXTBbMA8GA1UdEwEB

/wQFMAMBAQAwDgYDVR0PAQH/BAQDAgbAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggr

BgEFBQcDAjAZBgNVHREEEjAQgQ50aWhzQGhvdXNlLmNvbTANBgkqhkiG9w0BAQsF

AAOCAQEABsCTzwM+HjvDQXCfPucSqcqvdxfJsUZNMRN9RZFka8GuMpBbxhIGdTLo

w8SOKRIIqzRdznCAKf4SPZ4y5nMyOQkHLGKIRcjMnZfnJkxjyj86eUxIBAVQP7lK

RcZkj+UdRE2eakED11jRoyFEAaXbYvqa/ZwCImOLIKSh2DW2hflvpX0sdfIX89KO

QVc9Ve9vAQanJtHjjs2xbn86V1J2Ffc4bcsMrk7dofrmoYwJVrNA4wzbrWDKHfjW

2NX2V2JBK8xnEDSTywtTuVf7oEZGGKY+1yMrgsqS22aC7sOUtUwqO/Gd0UsJiaMv

LhjJg2S3a2LFQk129WJrM1CM5XOCvw==

-----END CERTIFICATE-----

$

-- 
Regards,
Uri Blumenthal


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151215/d8ea9398/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4308 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20151215/d8ea9398/attachment-0001.bin>

More information about the openssl-dev mailing list