[openssl-users] troubleshooting a puzzling issue

Richard Levitte levitte at openssl.org
Fri Jan 13 15:37:18 UTC 2017

In message <41A36A7F-FF5D-4190-9178-E9FF11AFF712 at inria.fr> on Fri, 13 Jan 2017 11:28:40 +0100, Thierry Parmentelat <thierry.parmentelat at inria.fr> said:

thierry.parmentelat> I am facing a problem that I have narrowed down to this:
thierry.parmentelat> I have two certificates, one being signed by the other
thierry.parmentelat> the attached code is a python code that uses M2Crypto to check for that fact
thierry.parmentelat> and it turns out, on some boxes x509_verify() returns 1 as expected, while on some others I am getting -1
thierry.parmentelat> ---
thierry.parmentelat> I apologize that I am not able to write a pure C code that would reproduce the issue (I’m afraid that me trying to achieve that would just lead to more artificial problems than be actually helpful in any way :)
thierry.parmentelat> the m2crypto guys tell me they are essentially just passing stuff along to openssl’s function
thierry.parmentelat> X509_verify
thierry.parmentelat> as described here
thierry.parmentelat> https://www.openssl.org/docs/man1.1.0/crypto/X509_verify.html

Considering both certs in the attached script use the signature
algorithm md5WithRSAEncryption, you could get that kind of error with
an OpenSSL installation where MD5 has been disabled.  'openssl help'
will show you what's enabled, or 'openssl list -disabled' (with
OpenSSL 1.1.0) to see what's disabled.

There are other things that can give you a -1 as well...


Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-users mailing list