[openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

Jakob Bohm jb-openssl at wisemo.com
Tue Sep 6 20:52:32 UTC 2016

Could this be related to the recent work to treat the list of
certificates as a SET of potentially relevant certificates
rather than as an ordered list of certificates that must form
the trust chain?

Reading through the 1.1.0 changelog makes it unclear how much
of this standards-compliance fix has been implemented so far,
and how much of it is included in 1.0.2h.

On 06/09/2016 20:10, John Unsworth wrote:
> This seems to me to be very easy to validate by just inserting a self-signed certificate at the front of a CAfile that works.
> ...
> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni
> Sent: 06 September 2016 18:47
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working
>> On Sep 6, 2016, at 11:53 AM, John Unsworth <John.Unsworth at synchronoss.com> wrote:
>> I have noticed the following behaviour:
>> 1 Create a certificate file with two CA certificates, one for the server being connected to (server A) and one for another server (server B).
>> 2 Whichever way the CA certificates are ordered the connect works OK.
>> 3 Add a self-signed CA certificate in the file before the one for server A. The connect fails ‘Verify return code: 21 (unable to verify the first certificate)’.
>> 4 Move the self-signed CA certificate after the one for server A. The connect works OK.
>> Why should the self-signed certificate affect the connection when the required CA certificate is in the certificate file? Is this a bug?
> You've provided much too little detail for a meaningful answer.
> Post the server chain being validated as reported by
>     $ openssl s_client -showcerts -connect <server>:443 > chain.pem
>     $ openssl crl2pkcs7 -nocrl -certfile chain.pem |
>       openssl pkcs7 -print_certs
> and all three CA certificates.  Do not post any of the private keys.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list