[openssl-users] Problem with x509_verify_certificate

Viktor Dukhovni openssl-users at dukhovni.org
Mon Nov 19 06:23:37 UTC 2018

> On Nov 19, 2018, at 1:15 AM, Ken <OpenSSL at k-h.us> wrote:
> There are no stale intermediate certificates on my computer.

The evidence suggests otherwise.

> Also, strace shows that it is looking for the correct CA certificate
> (/var/lib/ca-certificates/openssl/4bfab552.0), and being told that it
> exists - but with the newer version of openssl, it never tries to open
> the CA certificate (the older version does).

The newer code uses a "trusted first" policy, which means that the
intermediate certificate comes from the trust store, not the peer.
When it fails to validate (as reported, the failure is verifying
the issuer, not leaf certificate) one can reasonably conclude that
there's something wrong with an intermediate issuer certificate in
the trust store.

You can check by creating a new file that contains just
the expected root CA and nothing else, and setting CAfile to
that, and CApath to an empty directory.  Please report the results.


More information about the openssl-users mailing list