[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Jayalakshmi bhat bhat.jayalakshmi at gmail.com
Mon Nov 16 07:23:08 UTC 2015

Hi Victor,

First thing kindly note that I am talking about *OpenSSL-1.0.1c* not about
OpenSSL 1.0.2c.

So far we were using *OpenSSL-1.0.1c* and server validation was working
fine. Recently we upgraded the OpenSSL library to *OpenSSL-1.0.2d. *

Also we have not done any modification to the SSL client application that
is using the OpenSSL library.

We started seeing server certificate validation failures only for chain of
certificate i.e.  roota->intermediate ca->id certificate.

We are not seeing any issues when only rootca->cerificate is used.



On Mon, Nov 16, 2015 at 12:35 PM, Viktor Dukhovni <
openssl-users at dukhovni.org> wrote:

> On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote:
> > > You should probably explain what you're doing, and in what way OpenSSL
> 1.0.2
> > > (all upstream versions) is not working the way you expect.
> On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote:
> > Our device acts as TLS/SSL client.  The device receives chain of
> > certificates as part of SSL handshake, when it is trying to get connected
> > to TLS/SSL server like sharepoint 365.
> This is not a plausibly detailed explanation of how you're using
> OpenSSL in your device.
> > While validating the certificate chain from server, "*check_trust" *fails
> OpenSSL 1.0.2 is broadly used, with no similar problem reports.
> You're probably doing something atypical, and need to explain in
> technical detail how you're configuring certificate verification.
> > This had been working fine with OpenSSL 1.0.1c.
> You can download http://openssl.org/source/old/1.0.2/openssl-1.0.2c.tar.gz
> for yourself and check that the code you claim to make the difference
> is simply not there.  If 1.0.2c is working and 1.0.2d is not, either
> you're using a modified 1.0.2c (seek support from whoever made the
> changes) or the problem lies elsewhere.
> > When I checked the code execution, check_trust was not being called  in
> > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
> This is simply irrelevant, the change in question predates the
> 1.0.2 base version.
> > That is why I wanted to know is it mandatory for the applications to
> > set X509_VERIFY_PARAM in X509_STORE_CTX
> The question has a false premise and so makes no sense.  Rather
> you need to forget about (param->trust) and focus on why your
> application is failing to verify the peer certificate.
> --
>         Viktor.
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/7dc9fb2a/attachment-0001.html>

More information about the openssl-users mailing list