[openssl-users] Bug 1.0.1f - selfsign ignores email_in_dn setting

Jakob Bohm jb-openssl at wisemo.com
Tue Jun 23 23:35:25 UTC 2015

On 19/06/2015 16:24, Ben Humpert wrote:
> When the CSR contains an email address and the email_in_dn setting in
> the config file is set to "no" the email address is actually present
> in the issuer DN but not in the subject DN. This causes errors when
> verifying certificate chains since the subject hash is used to
> identify a cert but the issuer hash is different.
Are you sure, I have not seen this behavior in current
versions when making self-signed certificates, could
you provide step by step reproduction procedures to
cause this misbehavior?
> A dirty workaround is to 1) link the subject hash to the cert file and
> additionally 2) link the issuer hash to the same cert file
Such a workaround would be absolutely no help for
anyone using any other crypto library to verify the
certificate chain.

If OpenSSL certificate verification accepts an invalid
certificate chain by simply linking from the wrong
hash to a certificate with a different subject, then
that is a minor security vulnerability in the
verification code in OpenSSL, as that would also make
it fail for any fake issuer name chosen to have the
same (non-cryptographic) hash as an already trusted
certificate.  The limitation of such a vulnerability
would be that the cryptographic keys still need to


Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list