[openssl-users] Problem with certificate check when it does not match CN

Brice André brice at famille-andre.be
Sun Dec 18 20:05:42 UTC 2016


Dear all,

I use a gsoap application for which I write the server (php/apache) and
client (gsoap and openssl). As I am pretty sure my problem comes from
openssl and not gsoap, I am asking my question here.

I developped the service a few years ago and got wildcard certificates from
Startcom. Due to the recent probems with startcom, I migrated my
certificates to COMODO. I also tried to rationalise the number of
certificates, and I think several of my problems come from here.

For a dedicate web service, I use a server located at
https://www.online-rdv.be/v1/.... With my previous certificate, CN of
certificate was a wildcard certificate : *.online-rdv.be. Everything worked
fine.

But now, my new certificate is common for all my web sites. So, the CN is
www.ams-solutions.be and, in the list of alternate names, I have an entry *.
online-rdv.be.

>From this point, all gsoap connections fail from SSL checks. If checked the
certificate bundle provided to my gsoap client application and it contains
root certificate, as well as intermediate certificates.

This same soap server is directly used by the website and all browsers I
checked do not encounter the problem.

So, my best guess is that the way I configure openssl with gsoap is not
correct and does not allow validating a web site if it does not match the
CN certificate field.

I do no special configuration (nearly all default parameters). In fact, the
only ssl configuration I perform is the following :

  soap_ssl_init();
   soap_ssl_client_context(service.soap,
                           SOAP_SSL_DEFAULT,
                           NULL,
                           NULL,
                           cert_path.GetCString(),
                           NULL,
                           NULL);


where cert_path points to a file with root and intermediate certificates.

Any suggestion on how to solve my problem ?

Regards,

Brice
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161218/f901b08d/attachment.html>


More information about the openssl-users mailing list