Ignore this error in your verification callback function the same way the
function 'cb' of apps/verify.c does.
Dror
> Hi SSL gurus,
>
> I'm running into a problem with the OpenSSL 0.9.5a
> library which we're using in one of our products. When
> it tries to verify a particular chain of certificates,
> it seems to return the X509_v_ERR_INVALID_CA error for
> what appears to me to be no good reason at all...
>
> The chain in question consists of three certs, and
> the verification is failing on the second one. I stepped
> through the code to find out why, and I found the
> following code in v3_purp.c:
>
> static int check_purpose_ssl_client(X509_PURPOSE *xp, X509 *x, int ca)
> {
> if(xku_reject(x,XKU_SSL_CLIENT)) return 0;
> if(ca) {
> int ca_ret;
> ....
>
>
> and shortly after:
>
> static int check_purpose_ssl_server(X509_PURPOSE *xp, X509 *x, int ca)
> {
> if(xku_reject(x,XKU_SSL_SERVER|XKU_SGC)) return 0;
> /* Otherwise same as SSL client for a CA */
> if(ca) return check_purpose_ssl_client(xp, x, 1);
> .....
>
> When checking this certificate, it calls 'check_purpose_ssl_server',
> and since 'ca' is non-zero (the certificate is used to sign another
> certificate) this function hands off to 'check_purpose_ssl_client',
> which then rejects the certificate because the XKU_SSL_CLIENT flag is
> not set in the X509 structure. This flag only appears to be set in the
> case that there's a 'NID_client_auth' ASN1 object in the certificate's
> Extended Key Usage field.
>
> So, is OpenSSL doing the wrong thing? Or is it my understanding
> that's inaccurate?
>
> I notice that this code has been changed in OpenSSL 0.9.6 - there is a
> new 'check_ssl_ca' function which is called by both
> 'check_purpose_ssl_client' and 'check_purpose_ssl_server', and now the
> code path from 'check_purpose_ssl_server' doesn't test for the
> XKU_SSL_CLIENT flag.
>
> So, what should we do?
>
> - Should we upgrade to 0.9.6? This would be quite a bit of work
> since we've made a few changes to get it to work in our
> application, but would obviously be a good idea in the long
> term.
>
> - As a temporary measure, can we extract the new check_purpose_*
> stuff from 0.9.6 and put it into our existing version? I tried
> this fix and it solved the problem, but I'd rather not put it into
> production code without some sort of reassurance that I haven't
> missed any subtleties.
>
> - Or should I give up & hand the whole thing over to someone who
> actually knows what he's doing?
>
> Thanks for your time,
>
> Mike
> --
> Michael Playle, Software Engineer, ANT Ltd.
> phone +44 1223 716418 - fax +44 1223 716401
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
