[openssl-users] SSL_CTX_load_verify_locations only with CAPath

Dr. Roger Cuypers roger.cuypers at technisat.de
Tue Jul 7 11:06:06 UTC 2015

After downloading the root certificate GlobalSignRootCA.crt and installing it  in the folder with its appropriate hash everything worked fine. Thanks for your suggestion.

-.wikipedia.org is the end user certificate, right?

-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces at openssl.org] Im Auftrag von David Thompson
Gesendet: Dienstag, 7. Juli 2015 04:57
An: openssl-users at openssl.org
Betreff: Re: [openssl-users] SSL_CTX_load_verify_locations only with CAPath

> From: openssl-users On Behalf Of Dr. Roger Cuypers
> Sent: Monday, July 06, 2015 10:43

> Follow up:
> For some reason, the X509_NAME_hash function calculates a very 
> different hash for the server certificate:
> 5ad8a5d6
> Renaming the certificate to 5ad8a5d6.0 causes it to be found, but I 
> wonder where the difference in the hashes lies.
> openssl x509 -in D:\certs\-.wikipedia.org.crt -out 
> D:\certs\-.wikipedia.org.der -outform DER openssl x509 -in 
> D:\certs\-.wikipedia.org.der -inform DER -out 
> D:\certs\-.wikipedia.org.pem -outform PEM

Aside: those first two steps accomplish nothing; -.wikipedia.org.crt was already PEM (we know it worked in CAfile). 'x509' reads PEM by default.

> openssl x509 -in D:\certs\-
> .wikipedia.org.pem -noout -subject_hash
> 690deae8
> Then in D:\certs:
> D:\certs>mklink /h 690deae8.0 -.wikipedia.org.pem

I bet you put the entire cert *chain* in the -.wikipedia.org.crt file.

The leaf cert (currently) used by wikipedia, with subject= /C=US/ST=California/L=San Francisco/O=Wikimedia Foundation, Inc./CN=*.wikipedia.org issuer= /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA - SHA256 - G2 serial=1121972E32A5E5B2E29D472DFEDB72D6276E
notBefore=Dec 16 21:24:03 2014 GMT
notAfter=Feb 19 12:00:00 2017 GMT
has subject hash 690deae8.
This cert is sent from the server. It is not looked up in the truststore and does not need to be in the truststore; if it is that copy is ignored.

The *root* cert for that wikipedia chain is subject= issuer= /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
notBefore=Sep  1 12:00:00 1998 GMT
notAfter=Jan 28 12:00:00 2028 GMT
and this has subject hash 5ad8a5d6. This is the only cert that needs to be or is looked up in the truststore, and thus for CApath needs correct hash.

I thought, as the doc has (always? long?) said, that CApath must have each cert (or CRL) in a separate file. But on checking I see that by_dir.c actually calls X509_load_{cert,crl}_file from by_file.c, which for PEM loads all certs (or crls) in a file to the working context. Thus a hashlink to only the 3rd cert in a file, where that 3rd cert is the only one you need, actually works even though not documented and I'm not sure intended.


THIS MESSAGE IS CONFIDENTIAL. This e-mail message and any attachments are proprietary and confidential information protected from disclosure and intended only for the use of the recipient(s) named above. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message or any attachments is strictly prohibited. If you have received this communication in error, please notify CardConnect immediately by replying to this message and then delete this message and any attachments from your computer.
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list