On Tue, Oct 27, 2009, Daniel Marschall wrote:
> Any idea? This problem exists since 2003 and noone found an answer -
> this is unbelievable.
>
> >
> > Yes, without that flag, the certificate is valid ("OK"). I know, that
> > the issuer-name-errors are actually not really errors, but warnings.
> > But I want to have a script which checks the certificate for
> > absolutely correctness, so I also want to check if the issuer names
> > are matching (without any manual checking). But because of this bug,
> > firstly noticed 2003, the strings of CRL issuer and Cert-PEM issuer
> > are not equal because OpenSSL adds a whitespace before /C= in the
> > issuername of the Cert-PEM. I wonder how to solve this bug. It was
> > found in 2003 or earlier and my 2006/2008 versions did also include
> > the same bug. Is it really not fixed until yet or am I wrong?
> >
They are not even warnings. They are notifications of how the verification
process is proceeding it is quite normal for a chain that is perfectly valid
in every way to output those notifications.
The textual output of the utilities was intended to be a human readable string
only and not used for actual comparison. That "traditional" format is only
retained for compatibility and can produce both false positives and negatives.
Some other version such as he "oneline" form are better but not still don't
match the internal name comparison.
The actual name matching while important is nowhere near as important as the
cryptographic signature tests.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
