[openssl-users] troubleshooting a puzzling issue

Thierry Parmentelat thierry.parmentelat at inria.fr
Fri Jan 13 10:28:40 UTC 2017


I am facing a problem that I have narrowed down to this:

I have two certificates, one being signed by the other
the attached code is a python code that uses M2Crypto to check for that fact

and it turns out, on some boxes x509_verify() returns 1 as expected, while on some others I am getting -1

I apologize that I am not able to write a pure C code that would reproduce the issue (I’m afraid that me trying to achieve that would just lead to more artificial problems than be actually helpful in any way :)

the m2crypto guys tell me they are essentially just passing stuff along to openssl’s function
as described here

and this says, I quote:

X509_verify(), X509_REQ_verify() and X509_CRL_verify() return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was invalid or some other error occurred then -1 is returned.

So my question here is, how do I go about figuring out what ‘some other error’ might be in my case ?

I was wondering, for example, if it could just be a missing library or something along this line, as my understanding is that the range of algorithms, ciphers, and other hashes can be configured at build-time
what tools can I use to look in this direction ?

So far it looks like the problems happens on fedora installations, while the code behaves as expected on macos and ubuntus
I have not yet been able to assess that on a wide variety of installations yet

Thanks for any hint 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: m2.py
Type: text/x-python-script
Size: 1833 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170113/323959a0/attachment.bin>
-------------- next part --------------

More information about the openssl-users mailing list