We are having trouble using openssl's certificate checking to validate certain certificates where certificates in the chain are inconsistent in their choice of string encoding.
Using e.g. openssl-0.9.8e-12.el5, the connection in the accompanying certificate chain (intermediate cert and final cert only attached) will never be made by openssl. I think that this is because the intermediate cert has issuer "Government of Korea" (utf8, type 12) but the root cert is subject "Government of Korea" (printable, type 19), so it doesn't see this intermediate cert as signed by this issuing cert due to the names not matching (although they do match semantically, as it were); openssl looks for the wrong hash value in the CAdir and, even if I fake up a symlink in the CAdir to the right root cert, it doesn't use it. Internet Explorer accepts the same certificate chain, and presumably that is how it is in use in the field (Korea is known for being quite IE-centric, or at least it used to be). I have seen this problem on another private/governmental CA before but the problem was fixed before I got around to looking for solutions. Have I diagnosed the problem correctly? Is this behaviour by openssl correct or incorrect, likely to change, or is it possible to make it work at the application level? (CC replies to me as I am not on the list) -- Colin Phipps c...@netcraft.com
Issuer: C=KR, O=Government of Korea, OU=GPKI, CN=GPKIRootCA Not Before: Mar 15 06:00:04 2007 GMT Not After : Mar 15 06:00:04 2017 GMT Subject: C=KR, O=Government of Korea, OU=GPKI, CN=GPKIRootCA -----BEGIN CERTIFICATE----- MIIDijCCAnKgAwIBAgIQRfjg5AHFPnHmvXFtl5xBIzANBgkqhkiG9w0BAQUFADBP MQswCQYDVQQGEwJLUjEcMBoGA1UEChMTR292ZXJubWVudCBvZiBLb3JlYTENMAsG A1UECxMER1BLSTETMBEGA1UEAxMKR1BLSVJvb3RDQTAeFw0wNzAzMTUwNjAwMDRa Fw0xNzAzMTUwNjAwMDRaME8xCzAJBgNVBAYTAktSMRwwGgYDVQQKExNHb3Zlcm5t ZW50IG9mIEtvcmVhMQ0wCwYDVQQLEwRHUEtJMRMwEQYDVQQDEwpHUEtJUm9vdENB MIIBITANBgkqhkiG9w0BAQEFAAOCAQ4AMIIBCQKCAQBaK0EVm9t2JgHwVHILhxMf oNA/lqoNszSB3khan/NwWsLxOp4E8E6UeZfh9LUUTNdvxIsYt9wSKx0Km+4gDFuP //mvgp6YRtA9XSjzlxbBXOVWv0SkAKF6y5t6W9zU7fvyoAJnAB5E5YoB3KWjTv7W DGfKSbnw0KD5TR8D04bvDYV1TfPt+81qZgRX9FebrGaKT8KoT3GJCd1MAN+Wu9WQ CrS2am3Gv9OZKf9i8BDaRawJcguCEOgVqItf4qJaeR7CZ/3pRFcLA9AhFVGwAPOP beIj8Ekh2W3PYj3s6/0okgE/eqNyfOvzruf4CuxurXqbVckwS5y2YUZrWBr+n0gd AgMBAAGjYzBhMB8GA1UdIwQYMBaAFBZnMvRoXmgxR9vt7M5hLpokRsR9MB0GA1Ud DgQWBBQWZzL0aF5oMUfb7ezOYS6aJEbEfTAOBgNVHQ8BAf8EBAMCAa4wDwYDVR0T AQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEANWNSxmAYHLfCwVpYAuwH1aGQ k/yAR9BSeKuF+HbTuLAYMqC2kGgTZj1vr47c9qPEzjlfr+0KZuB8EcgMy54fOCmK i97IYy7HtNLONpGU4E+EkraqIqj9MaczSMlb9hPYFhbrHz+lTgaTOtkGZTCW+o0G 26Ea9Cv6D2jwwSt8nQXXCUI70i+RkPwOazhbsnWpV5xXZPWYIKT/1DAE5M4fkMkv wd9aVrjLqqq0v+u49yJKTcE19GW9eLxveBtWOoHoDfXCpRcw041Xd8ulwUyxMN00 uKuSCiICNov2bPdhuQjuMK0aqETxLjLsg6JISDpnX+lvGxczCCrBycNnmg6FZw== -----END CERTIFICATE-----
Issuer: C=KR, O=Government of Korea, OU=GPKI, CN=GPKIRootCA Not Before: Jun 9 14:09:21 2008 GMT Not After : Jun 9 14:09:21 2018 GMT Subject: C=KR, O=Government of Korea, OU=GPKI, CN=CA134040001 -----BEGIN CERTIFICATE----- MIIEXjCCA0agAwIBAgIQR/72AAIHhtgBkjX/nkogAjANBgkqhkiG9w0BAQUFADBP MQswCQYDVQQGEwJLUjEcMBoGA1UECgwTR292ZXJubWVudCBvZiBLb3JlYTENMAsG A1UECwwER1BLSTETMBEGA1UEAwwKR1BLSVJvb3RDQTAeFw0wODA2MDkxNDA5MjFa Fw0xODA2MDkxNDA5MjFaMFAxCzAJBgNVBAYTAktSMRwwGgYDVQQKDBNHb3Zlcm5t ZW50IG9mIEtvcmVhMQ0wCwYDVQQLDARHUEtJMRQwEgYDVQQDDAtDQTEzNDA0MDAw MTCCASEwDQYJKoZIhvcNAQEBBQADggEOADCCAQkCggEAZvDlMT1PwNhEkeB5Wvvy CrQXf10ah2jWNDq3A86IEHOVRB3sNoABgkCHue70jIa/EI9PRpdoouPYdR+DJPkF S9QLizlgkrPCNQhJqr7vuXQd/JV2OFhKhsrlIrKZaB1FU0ndJmzezZUZZxBfsBz6 LAjRZn4EVPPqQY+DR7fSrgh8h6yGPMhMtV8aADTpMkLmnfSjYJKsY4NTYheBsXQ7 kr2d3CK5a7Sn3Nze4TvC05DyctpTWPJNyFOx8Ahyi0dVg77mNNx4uPXQhlip4n4p V4ibLlVw+O9E9/7lUDG31yH/wgSl4ukwcQjHHXI2dadvP2M63tjdHXfZVHBHY3Ig KwIDAQABo4IBNDCCATAwHwYDVR0jBBgwFoAUFmcy9GheaDFH2+3szmEumiRGxH0w HQYDVR0OBBYEFPpyBAOZ/erbfFDdvuVypNJ3JRXIMA4GA1UdDwEB/wQEAwIBBjBP BgNVHSAESDBGMAwGCiqDGoaNIQUDAQMwDAYKKoMaho0hBQMBATAMBgoqgxqGjSEF AwEHMAwGCiqDGoaNIQUDAQkwDAYKKoMaho0hBQMBBTASBgNVHRMBAf8ECDAGAQH/ AgEAMHkGA1UdHwRyMHAwbqBsoGqGaGxkYXA6Ly9jZW4uZGlyLmdvLmtyOjM4OS9j bj1HUEtJUm9vdENBLG91PUdQS0ksbz1Hb3Zlcm5tZW50IG9mIEtvcmVhLGM9S1I/ YXV0aG9yaXR5UmV2b2NhdGlvbmxpc3Q7YmluYXJ5MA0GCSqGSIb3DQEBBQUAA4IB AQAhagazxtMY+p+i1F/OyJJ0kwZU8PrKISJUZMpBxMaZpfCzUWSnaO9Ha6SPnqm8 gE71ZJV+KUj6ll6YL3VExaGU2YPpNUzbo4mFuTP5QBo+d18sEZAIsKPAG2ZXw1wU Bx51jduMBWGYo43JFS+XPlrxrYULPobprudrqTt+EffG++hey18VBk/mPubyovFl MZ74esV96IenJvGxMNhsS+U+RIE1QoLDscJrlenmjctbowNZ8pq91MJw6V8OG0w9 ELVQMt98uidzU2fzF4W0XxHiIlZBtp6imOZxQ+xtCiJd0/S/jpEoHBU9ZEJrBRol RMdvf5Oh2qTLeowZU17RtC8T -----END CERTIFICATE-----
