[openssl-dev] OpenSSL version 1.1.0 pre release 2 published
Jouni Malinen
j at w1.fi
Thu Jan 14 18:35:26 UTC 2016
On Thu, Jan 14, 2016 at 12:08:06PM -0500, Viktor Dukhovni wrote:
> Well I rewrote the certificate chain verification code, perhaps some more
> polish is needed. Please, if possible, send the chain being verified
> (the leaf and and "untrusted" certs), plus the trusted roots (clearly
> marked as such), and I'll look into it.
I'm not sure this is going to be helpful since this is a very basic case
and I cannot reproduce this with openssl verify. Anyway, the incorrect
CA and the only certificate that was configured as trusted on the client
was this one:
http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/ca-incorrect.pem
while the server used this certificate:
http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/server.pem
and this issuer:
http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/ca.pem
Not even the issue subject name match here..
Still, I'm getting this with pre-rel 2 on the client:
SSL: SSL_connect:SSLv3/TLS read server hello
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate)
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=FI/O=w1.fi/CN=Root CA'
TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=FI/O=w1.fi/CN=server.w1.fi'
And TLS handshake completes successfully.
With OpenSSL 1.0.2d, this fails (as expected):
SSL: SSL_connect:SSLv3 read server hello A
OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate)
TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=FI/O=w1.fi/CN=Root CA'
So this has to be something with how the chain verification code gets
configured.. I'll see if I can find the commit that changed the behavior
to make it a bit more easier to figure out what exactly may have
happened.
--
Jouni Malinen PGP id EFC895FA
More information about the openssl-dev
mailing list