[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
Jayalakshmi bhat
bhat.jayalakshmi at gmail.com
Mon Nov 16 16:48:01 UTC 2015
Hi Matt,
Thank you for the response. I have attached the certificates details. My
apology I am not supposed to share the certificates. We are not using
X509_VERIFY_PARAM_xxx
API's. We are using 4 certificates with the device.
1. Root CA- Baltimore CyberTrust Root
2. Intermediate CA-1 - Microsoft Internet Authority
3. Intermediate CA-2 - Microsoft IT SSL SHA2
4. ID certificate - *.sharepoint.com
Intermediate CAs are issued by the above Root CA. Issue is seen when all 4
certificates are installed. Error happens with the intermediate CA-2.
check_trust returns X509_TRUST_UNTRUSTED. However if I do not install
intermediate CA-2 things works fine.
Any help is well appreciated.
Regards
Jayalakshmi
On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <matt at openssl.org> wrote:
>
>
> On 16/11/15 06:52, Jayalakshmi bhat wrote:
> > Hi Victor,
> >
> > Thanks a lot for details explanation.
> >
> > Our device acts as TLS/SSL client. The device receives chain of
> > certificates as part of SSL handshake, when it is trying to get
> > connected to TLS/SSL server like sharepoint 365.
> >
> > While validating the certificate chain from server, "*check_trust"
> > *fails with X509_V_ERR_CERT_UNTRUSTED.
> >
> > This had been working fine with OpenSSL 1.0.1c.
> >
> > When I checked the code execution, check_trust was not being called in
> > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
> >
> > That is why I wanted to know is it mandatory for the applications to
> > set X509_VERIFY_PARAM in X509_STORE_CTX
>
>
> Are you able to share the certificates that the server provides you
> with? Also the root certificate you are using.
>
> It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
> least want to verify the hostname through a call to
> "X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this?
>
> Matt
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/0ea6e0a4/attachment.html>
-------------- next part --------------
ID CERTIFICATE
Version 3
Serial Number 4F 5D 8E A9 00 01 00 00 D8 6F
Signature Algorithm sha1RSA
Issuer DC=com
DC=microsoft
DC=corp
DC=redmond
CN=MSIT Machine Auth CA 2
Valid From 4/14/2014 10:01:07 PM UTC
Valid To 4/13/2016 10:01:07 PM UTC
Subject C=US
S=WA
L=Redmond
O=Microsoft
CN=*.sharepoint.com
Public Key
Public Key Algorithm RSA
Public Key Length 2048 bits
Exponent 65537 (10001)
Extensions
Authority Key Identifier KeyID=EB DB 11 5E F8 09 9E D8 D6 62 9C FD 62 9D E3 84 4A 28 E1 27
Subject Key Identifier F5 D0 5C 03 01 C3 D9 31 56 24 3F BF 26 4F 04 A7 D8 3C B3 CE
Basic Constraints
Key Usage Data Encipherment (b0), Digital Signature, Key Encipherment (a0)
Extended Key Usage Client Authentication, Server Authentication
Additional Extensions Subject Alternative Name, CRL Distribution Points
Subject Alternative Name *.sharepoint.com
*.sharepoint.apac.microsoftonline.com
*.sharepoint.emea.microsoftonline.com
*.sharepoint.microsoftonline.com
Thumbprint 3D A0 FF 58 AF 96 A0 BE 01 BB 7E 05 65 7C D7 89 27 F9 52 98
INTERMEDIATE CA-1
Version 3
Serial Number 07 27 6F AE
Signature Algorithm sha1RSA
Issuer C=IE
O=Baltimore
OU=CyberTrust
CN=Baltimore CyberTrust Root
Valid From 4/25/2012 5:41:36 PM UTC
Valid To 4/25/2020 5:40:55 PM UTC
Subject CN=Microsoft Internet Authority
Public Key
Public Key Algorithm RSA
Public Key Length 4096 bits
Exponent 65537 (10001)
Extensions
Authority Key Identifier KeyID=E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A B5 04 4D F0
Subject Key Identifier 2A 4D 97 95 5D 34 7E 9D B6 E6 33 BE 9C 27 C1 70 7E 67 DB C1
Basic Constraints critical CA: True
Key Usage Certificate Signing, CRL Signing (86), Digital Signature, Off-line CRL Signing
Extended Key Usage
Additional Extensions Certificate Policies, CRL Distribution Points
Subject Alternative Name
Thumbprint 99 2A D4 4D 7D CE 29 8D E1 7E 6F 2F 56 A7 B9 CA A4 1D B9 3F
INTERMEDIATE CA-2
Version 3
Serial Number 07 27 9A A9
Signature Algorithm sha256RSA
Issuer C=IE
O=Baltimore
OU=CyberTrust
CN=Baltimore CyberTrust Root
Valid From 12/19/2013 8:07:32 PM UTC
Valid To 12/19/2017 8:06:55 PM UTC
Subject C=US
S=Washington
L=Redmond
O=Microsoft Corporation
OU=Microsoft IT
CN=Microsoft IT SSL SHA2
Public Key
Public Key Algorithm RSA
Public Key Length 4096 bits
Exponent 65537 (10001)
Extensions
Authority Key Identifier KeyID=E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A B5 04 4D F0
Subject Key Identifier 51 AF 24 26 9C F4 68 22 57 80 26 2B 3B 46 62 15 7B 1E CC A5
Basic Constraints critical CA: True
Key Usage Certificate Signing, CRL Signing (86), Digital Signature, Off-line CRL Signing
Extended Key Usage Client Authentication, Server Authentication
Additional Extensions Certificate Policies, CRL Distribution Points
Subject Alternative Name
Thumbprint 94 8E 16 52 58 62 40 D4 53 28 7A B6 9C AE B8 F2 F4 F0 21 17
ROOT CA
Version 3
Serial Number 02 00 00 B9
Signature Algorithm sha1RSA
Issuer C=IE
O=Baltimore
OU=CyberTrust
CN=Baltimore CyberTrust Root
Valid From 5/12/2000 6:46:00 PM UTC
Valid To 5/12/2025 11:59:00 PM UTC
Subject C=IE
O=Baltimore
OU=CyberTrust
CN=Baltimore CyberTrust Root
Public Key
Public Key Algorithm RSA
Public Key Length 2048 bits
Exponent 65537 (10001)
Extensions
Authority Key Identifier
Subject Key Identifier E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A B5 04 4D F0
Basic Constraints critical CA: True
Key Usage Certificate Signing, Off-line CRL Signing
Extended Key Usage
Additional Extensions
Subject Alternative Name
Thumbprint D4 DE 20 D0 5E 66 FC 53 FE 1A 50 88 2C 78 DB 28 52 CA E4 74
More information about the openssl-users
mailing list