On Thu, Mar 04, 2004, Caines, Max wrote: > Hi, > > I haven't used this software before, but I've checked the FAQ and I can't see > anything relevant. I'm using OpenSSL 0.9.7c with a Web mail application, Prayer > (University of Cambridge). I've obtained and installed a server certificate from an > external CA (GlobalSign in Belgium). I've installed all the certificates in their > chain (root CA plus two intermediate) in the OpenSSL store and created links using > the hash code as described in the documentation. They all verify OK. However, when I > test the server certificate using: > > openssl verify -verbose -CApath /usr/local/ssl/certs /home/ccent/in1012/wlv_ac_uk.pem > > about 50% of the time it replies: > > /home/ccent/in1012/wlv_ac_uk.pem: OK > > and the other 50% it says: > > /home/ccent/in1012/wlv_ac_uk.pem: /C=BE/O=GlobalSign nv-sa/OU=ServerSign > CA/CN=GlobalSign ServerSign CA > error 7 at 1 depth lookup:certificate signature failure > 29838:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not > 01:rsa_pk1.c:100: > 29838:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > failed:rsa_eay.c:580: > 29838:error:0D089006:asn1 encoding routines:ASN1_verify:EVP lib:a_verify.c:162: > > I've found references to this in the mailing list, but only for old versions of > OpenSSL. Any ideas how I can fix this? > >
That's odd. Does OpenSSL pass 'make test' OK on that platform? Have you tried this on a different platform with the same results? If yes to both can you post or send me the certificates that do this? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
