[openssl-users] [EXTERNAL] Certificate gets verified OK over SSL-CLI, but not when using SSL-API

Manuel Wagesreither ManWag at FastMail.FM
Thu Dec 28 10:19:02 UTC 2017

Am Fr, 22. Dez 2017, um 20:31, schrieb Sands, Daniel:
> On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote:
> > Unfortunately this didn't work either. The end result is the same;
> > OpenSSL still emits a "certificate signature failure" with an error
> > depth of 0.
> > 
> In light of what Salz said about verification, could we assume that the
> openssl verify program that succeeded is based on the older library?

Thanks for your feedback! Actually it's the other way round. Validation succeeds with the *new* library (libssl.so.1.1), and fails with the *old* one (libssl.so.1.0.0). This is true with the openssl verify program as well: `openssl verify` succeeds for OpenSSL 1.1.0f, and fails for OpenSSL 1.0.1g.

Hence, if at all, verification requirements must have been lowered in the new OpenSSL version. I'm just about to look for a list of criterias a certificate has to pass in order to validate successfully in the two OpenSSL versions.

More information about the openssl-users mailing list