issue with X509_issuer_and_serial_hash returning different values under OpenSSL 3

Viktor Dukhovni openssl-users at
Wed Mar 8 17:14:16 UTC 2023

On Wed, Mar 08, 2023 at 11:36:37AM +0000, Matt Caswell wrote:

> IIRC, I think the format of the output from X509_NAME_oneline may have 
> changed subtly from 1.0.2 to 3.0 (although I don't think it did between 
> 1.1.1 and 3.0??).

Correct, the hash computation changed between 1.0.2 and 1.1.0 and not since.
I get the same hashes for all 137 CA certs in the FreeBSD cert bundle
using either 1.1.1t or 3.2-dev.  There should be no changes between
1.1.1 and 3.0.

If there is a certificate that shows different output for:

    $ /openssl-1.1.1-path/bin/openssl x509 -noout -subject_hash -in certfile.pem
    $ /openssl-3.0-path/bin/openssl x509 -noout -subject_hash -in certfile.pem

the OP is invited to post the certificate in question.


More information about the openssl-users mailing list