Till Elsner wrote:
>
> Am 26.05.2008 um 13:13 schrieb Lutz Jaenicke:
>
>> Till Elsner wrote:
>>> Ok, after verifying what platform I'm actually compiling for, it's
>>> definitely little-endian (Linksys WRT54G running on Broadcom BCM4712).
>>> So what else could be the problem here?
>>>
>>> Am 24.05.2008 um 22:23 schrieb Lutz Jänicke:
>>>> I am not aware of any specific problems of OpenSSL on MIPS platforms.
>>>> As long as OpenSSL is configured correctly (big or little endian)
>>>> everything should work just out of the box.
>> As I already wrote: I am not aware of any specific problems in MIPS.
>> Having this said, your problem report does not really help much in
>> tracking down the problem. It reads: Hey, it fails, what might be wrong?
>> Without any more details we cannot help you. What exactly happens? Your
>> application does crash?
>> When verifying certificates, against which CAs? Is your filesystem
>> layout containing the CA certificates the same?
>
> Ok, I see this was really not very detailed and not very helpful for
> finding a solution. So what happens is the following:
> I have a self-signed certificate used as CA and some certificates
> signed by this CA. Checking the signature with OpenSSL on the command
> line verifies the certificates correctly. Now in the software I've
> build, the certificates get verified agains my CA using
> X509_verify_cert (which should work quite similar to what OpenSSL does
> on the command line, I think). Now when I run the program on standard
> linux desktop machines (tried on debian distros), everything works
> fine, the certificates get verified just like they should. But when I
> compile the program for a router and run it there, it also starts, but
> the verification of the certificates fails. No crashes, no error
> messages saying something is wrong with OpenSSL, just the failing
> verification. The router is a Linksys WRT54G running OpenWRT 7.09.
If your application is using X509_verify_cert() it uses a X509_STORE_CTX
that must be initialized with the certificates to verify against and can
be initialized with a verification callback function that is fed with
the error codes and finally decides about whether a certificate is
accepted or not.
Unfortunately there is no manual page for X509_verify_cert(), but it is
the same function that is used internally for SSL certificate
verification and the behaviour and the callback function are described
in the SSL_CTX_set_verify() manpage.#
A good source of information might be ssl/ssl_cert.c:ssl_verify_cert_chain()
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
