issue with X509_issuer_and_serial_hash returning different values under OpenSSL 3
openssl-users at dukhovni.org
Wed Mar 8 17:14:16 UTC 2023
On Wed, Mar 08, 2023 at 11:36:37AM +0000, Matt Caswell wrote:
> IIRC, I think the format of the output from X509_NAME_oneline may have
> changed subtly from 1.0.2 to 3.0 (although I don't think it did between
> 1.1.1 and 3.0??).
Correct, the hash computation changed between 1.0.2 and 1.1.0 and not since.
I get the same hashes for all 137 CA certs in the FreeBSD cert bundle
using either 1.1.1t or 3.2-dev. There should be no changes between
1.1.1 and 3.0.
If there is a certificate that shows different output for:
$ /openssl-1.1.1-path/bin/openssl x509 -noout -subject_hash -in certfile.pem
$ /openssl-3.0-path/bin/openssl x509 -noout -subject_hash -in certfile.pem
the OP is invited to post the certificate in question.
More information about the openssl-users