Any idea? This problem exists since 2003 and noone found an answer -
this is unbelievable.
2009/10/26 Daniel Marschall <i...@daniel-marschall.de>:
> 2009/10/25, Dr. Stephen Henson <st...@openssl.org>:
>> On Sun, Oct 25, 2009, Daniel Marschall wrote:
>>
>> > Hello.
>> >
>> > I have a problem with verification of certificates.
>> >
>> > My command line is:
>> >
>> > openssl verify -verbose -issuer_checks -crl_check_all -CAfile
>> > tmp_cachain.pem daniel-marschall.crt
>> >
>>
>> Do you get an error without -issuer_checks? As the manual indicates that is a
>> debugging option that logs the verification process and for perfectly valid
>> chains you will get notifications of mismatches as candidate certificates are
>> discarded.
>
>
> Hello.
>
> Thank you for your answer.
>
> Yes, without that flag, the certificate is valid ("OK"). I know, that
> the issuer-name-errors are actually not really errors, but warnings.
> But I want to have a script which checks the certificate for
> absolutely correctness, so I also want to check if the issuer names
> are matching (without any manual checking). But because of this bug,
> firstly noticed 2003, the strings of CRL issuer and Cert-PEM issuer
> are not equal because OpenSSL adds a whitespace before /C= in the
> issuername of the Cert-PEM. I wonder how to solve this bug. It was
> found in 2003 or earlier and my 2006/2008 versions did also include
> the same bug. Is it really not fixed until yet or am I wrong?
>
> If you want, you can check my personal CRT/CRL's to validate the bug
> (links in the inital mail). At both OpenSSL versions I use (0.9.8c and
> 0.9.8h) the whitespace is added.
>
> But maybe my Root CA is wrong instead? Maybe my certificates are
> 'special' ;-) I cannot say because I only trust the "-issuer -noout"
> output at the moment. The Root CA was also created with OpenSSL 0.9.8c
> and in my CSR there was no whitespace before /C= (I made the request
> via the paramters -batch and -subj '/C=DE/L=...' and not via manual
> input)
>
> CRT: http://www.viathinksoft.de/ca/crt/root.crt (issuer name has
> whitespace before first "/")
> CRL: http://www.viathinksoft.de/ca/crl/root.crl (issuer name is OK)
>
> Do you know what's the reason (issuer-detection/verify or RootCA
> fault?) for the bug and a workaround?
>
> Regards
> Daniel Marschall
>
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-us...@openssl.org
>> Automated List Manager majord...@openssl.org
>>
>
>
> --
> Daniel Marschall
> www.daniel-marschall.de
> +49 6223 488840
>
--
Daniel Marschall
www.daniel-marschall.de
+49 6223 488840
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
