[openssl-users] Problem with x509_verify_certificate

Ken OpenSSL at k-h.us
Sun Nov 18 01:57:40 UTC 2018

I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), 
which uses x509_verify_certificate to check the validity of a 
certificate on a RDP server.

Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips 26 Sep 
2016") everything works great.

But, when I upgrade to openSUSE Leap 15.0 (which uses openssl version 
"1.1.0i-fips  14 Aug 2018") I get an error when connecting to servers 
that use publicly-signed certificates:

Certificate details:
         Subject: OU = Domain Control Validated, CN = owa.xxxxx.com
         Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield 
Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN 
= Starfield Secure Certificate Authority - G2
The above X.509 certificate could not be verified, possibly because you 
do not have
the CA certificate in your certificate store, or the certificate has 
Please look at the OpenSSL documentation on how to add a private CA to 
the store.
Do you trust the above certificate? (Y/T/N)

On both versions, strace shows is it checking for 
/var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the 
correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it 
never opens that file. (With openssl version "1.0.2j-fips 26 Sep 2016", 
it does open/read that file, which it seems like it work need to, in 
order to find out if it matches the certificate.)

Any idea what changed? (Or, better question, what needs to be changed to 
make this application work again?)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181117/240f0d69/attachment-0001.html>

More information about the openssl-users mailing list