[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Viktor Dukhovni openssl-users at dukhovni.org
Mon Nov 16 07:05:45 UTC 2015

On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote:

> > You should probably explain what you're doing, and in what way OpenSSL 1.0.2
> > (all upstream versions) is not working the way you expect.

On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote:

> Our device acts as TLS/SSL client.  The device receives chain of
> certificates as part of SSL handshake, when it is trying to get connected
> to TLS/SSL server like sharepoint 365.

This is not a plausibly detailed explanation of how you're using
OpenSSL in your device.

> While validating the certificate chain from server, "*check_trust" *fails

OpenSSL 1.0.2 is broadly used, with no similar problem reports.
You're probably doing something atypical, and need to explain in
technical detail how you're configuring certificate verification.

> This had been working fine with OpenSSL 1.0.1c.

You can download http://openssl.org/source/old/1.0.2/openssl-1.0.2c.tar.gz
for yourself and check that the code you claim to make the difference
is simply not there.  If 1.0.2c is working and 1.0.2d is not, either
you're using a modified 1.0.2c (seek support from whoever made the
changes) or the problem lies elsewhere.

> When I checked the code execution, check_trust was not being called  in
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.

This is simply irrelevant, the change in question predates the
1.0.2 base version.

> That is why I wanted to know is it mandatory for the applications to

The question has a false premise and so makes no sense.  Rather
you need to forget about (param->trust) and focus on why your
application is failing to verify the peer certificate.


More information about the openssl-users mailing list