[openssl-users] Problem with x509_verify_certificate

Viktor Dukhovni openssl-users at dukhovni.org
Sun Nov 18 05:54:46 UTC 2018

I would suggest running "c_rehash" on the directory, making sure it is
the c_rehash for OpenSSL 1.1.x, and not some other version.

> On Nov 17, 2018, at 8:57 PM, Ken <OpenSSL at k-h.us> wrote:
> On both versions, strace shows is it checking for /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it never opens that file. (With openssl version "1.0.2j-fips  26 Sep 2016", it does open/read that file, which it seems like it work need to, in order to find out if it matches the certificate.)
> Any idea what changed? (Or, better question, what needs to be changed to make this application work again?)

The way that DN hashes are computed changed from 0.9.8 to 1.0.0, but IIRC then
remained stable, so I would not expect a change between 1.0.2 and 1.1.0.

It is difficult to offer more help without copies of the certificates in question.

The main change between 1.1.0 and 1.0.2 is that "trusted_first" is now
the default behaviour and cannot be changed.  This means that intermediate
certificates supplied with the peer chain are used only when no issuer is
present in the trust store.  This can lead to a different chain being
computed in some cases.


More information about the openssl-users mailing list