[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Nov 16 07:05:45 UTC 2015
On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote:
> > You should probably explain what you're doing, and in what way OpenSSL 1.0.2
> > (all upstream versions) is not working the way you expect.
On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote:
> Our device acts as TLS/SSL client. The device receives chain of
> certificates as part of SSL handshake, when it is trying to get connected
> to TLS/SSL server like sharepoint 365.
This is not a plausibly detailed explanation of how you're using
OpenSSL in your device.
> While validating the certificate chain from server, "*check_trust" *fails
> with X509_V_ERR_CERT_UNTRUSTED.
OpenSSL 1.0.2 is broadly used, with no similar problem reports.
You're probably doing something atypical, and need to explain in
technical detail how you're configuring certificate verification.
> This had been working fine with OpenSSL 1.0.1c.
You can download http://openssl.org/source/old/1.0.2/openssl-1.0.2c.tar.gz
for yourself and check that the code you claim to make the difference
is simply not there. If 1.0.2c is working and 1.0.2d is not, either
you're using a modified 1.0.2c (seek support from whoever made the
changes) or the problem lies elsewhere.
> When I checked the code execution, check_trust was not being called in
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
This is simply irrelevant, the change in question predates the
1.0.2 base version.
> That is why I wanted to know is it mandatory for the applications to
> set X509_VERIFY_PARAM in X509_STORE_CTX
The question has a false premise and so makes no sense. Rather
you need to forget about (param->trust) and focus on why your
application is failing to verify the peer certificate.
--
Viktor.
More information about the openssl-users
mailing list