[openssl-users] troubleshooting a puzzling issue

Thierry Parmentelat thierry.parmentelat at inria.fr
Fri Jan 13 10:28:40 UTC 2017


Hey


I am facing a problem that I have narrowed down to this:

I have two certificates, one being signed by the other
the attached code is a python code that uses M2Crypto to check for that fact

and it turns out, on some boxes x509_verify() returns 1 as expected, while on some others I am getting -1


---
I apologize that I am not able to write a pure C code that would reproduce the issue (I’m afraid that me trying to achieve that would just lead to more artificial problems than be actually helpful in any way :)

the m2crypto guys tell me they are essentially just passing stuff along to openssl’s function
X509_verify
as described here
https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html

---
and this says, I quote:

X509_verify(), X509_REQ_verify() and X509_CRL_verify() return 1 if the signature is valid and 0 if the signature check fails. If the signature could not be checked at all because it was invalid or some other error occurred then -1 is returned.


So my question here is, how do I go about figuring out what ‘some other error’ might be in my case ?

I was wondering, for example, if it could just be a missing library or something along this line, as my understanding is that the range of algorithms, ciphers, and other hashes can be configured at build-time
what tools can I use to look in this direction ?

---
So far it looks like the problems happens on fedora installations, while the code behaves as expected on macos and ubuntus
I have not yet been able to assess that on a wide variety of installations yet


Thanks for any hint 




-------------- next part --------------
A non-text attachment was scrubbed...
Name: m2.py
Type: text/x-python-script
Size: 1833 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170113/323959a0/attachment.bin>
-------------- next part --------------







More information about the openssl-users mailing list