[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Mon Nov 16 23:05:55 UTC 2015

Probably not, that constraint is satisfied since this is SSL/TLS and the 
end cert has that same EKU.

On 16/11/2015 22:37, E T wrote:
> Could it be because your CA-2 has the following: Extended Key Usage 
> - Client Authentication, Server Authentication?
>
> Some fields that in general only apply to end certificates, e.g. name 
> constraints, when used in a CA certificate, are interpreted as 
> constraints on the certificates that can be issued by that CA.
>
>
> On Nov 16, 2015, at 11:48 AM, Jayalakshmi bhat 
> <bhat.jayalakshmi at gmail.com <mailto:bhat.jayalakshmi at gmail.com>> wrote:
>
> Hi Matt,
>
> Thank you for the response. I have attached the certificates details. 
> My apology I am not supposed to share the certificates. We are not 
> using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with 
> the device.
>
> 1. Root CA- Baltimore CyberTrust Root
> 2. Intermediate CA-1 - Microsoft Internet Authority
> 3. Intermediate CA-2 - Microsoft IT SSL SHA2
> 4. ID certificate - *.sharepoint.com <http://sharepoint.com/>
>
> Intermediate CAs are issued by the above Root CA. Issue is seen when 
> all 4 certificates are installed. Error happens with the intermediate 
> CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not 
> install intermediate CA-2 things works fine.
>
> Any help is well appreciated.
>
> Regards
> Jayalakshmi
>
> On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <matt at openssl.org 
> <mailto:matt at openssl.org>> wrote:
>
>
>
>     On 16/11/15 06:52, Jayalakshmi bhat wrote:
>     > Hi Victor,
>     >
>     > Thanks a lot for details explanation.
>     >
>     > Our device acts as TLS/SSL client.  The device receives chain of
>     > certificates as part of SSL handshake, when it is trying to get
>     > connected to TLS/SSL server like sharepoint 365.
>     >
>     > While validating the certificate chain from server, "*check_trust"
>     > *fails with X509_V_ERR_CERT_UNTRUSTED.
>     >
>     > This had been working fine with OpenSSL 1.0.1c.
>     >
>     > When I checked the code execution, check_trust was not being
>     called  in
>     > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
>     >
>     > That is why I wanted to know is it mandatory for the applications to
>     > set X509_VERIFY_PARAM in X509_STORE_CTX
>
>
>     Are you able to share the certificates that the server provides you
>     with? Also the root certificate you are using.
>
>     It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
>     least want to verify the hostname through a call to
>     "X509_VERIFY_PARAM_set1_host"). Are you currently do anything like
>     this?
>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151117/59d56832/attachment.html>