[openssl-dev] [openssl.org #4580] "openssl verify -CAfile cacerts.pem cert.pem" fails if cacerts.pem is ordered in certain ways
Gábor STEFANIK via RT
rt at openssl.org
Tue Jun 21 13:37:35 UTC 2016
Hi,
It seems that having the same key isn't actually a prerequisite, I actually have a pair of certificates in hand with the same issuer but different keys that reproduce this order-dependent behavior. (I'm currently in talks with our IT department for clearance to submit these certs as a testcase, since they are currently internal-use only.)
Also, we certainly shouldn't _crash_ even with duplicate keys. (Just checked, the nonidentical-key certificate pair above also reproduces the crash on win32.)
>
--------------------------------------------------------------------------
This message, including its attachments, is confidential. For more information please read NNG's email policy here:
http://www.nng.com/emailpolicy/
By responding to this email you accept the email policy.
-----Original Message-----
> From: Salz, Rich via RT [mailto:rt at openssl.org]
> Sent: Tuesday, June 21, 2016 3:24 PM
> To: Gábor STEFANIK <Gabor.STEFANIK at nng.com>
> Cc: openssl-dev at openssl.org
> Subject: RE: [openssl-dev] [openssl.org #4580] "openssl verify -CAfile
> cacerts.pem cert.pem" fails if cacerts.pem is ordered in certain ways
>
> Having a mix of experied and unexpired certificates in the trust store for the
> same issuer/key seems to be undefined. I am not sure this is a bug.
>
> --
> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4580
> Please log in as guest with password guest if prompted
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4580
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list