Hi, I used to work with openssl-0.9.7, and all my certificates were generated by openssl-0.9.8. Openssl-0.9.7 works great with openssl-0.9.8's certificates, I never had issues in parsing, verification, ...... Recently I upgraded my application with openssl-1.0.0, I found that none of old openssl-0.9.8 certificates can be decoded properly. My application code calls API d2i_X509() to convert a DER (or PEM) certificate to a X509 structure, following is the error output:
Oct 24 15:28:22.297 ASN1_item_d2i: entering Oct 24 15:28:22.297 ASN1_item_d2i: pval is NULL Oct 24 15:28:22.297 ASN1_item_ex_d2i: entering Oct 24 15:28:22.297 ASN1_item_ex_d2i: ASN1_ITYPE_SEQUENCE Oct 24 15:28:22.298 asn1_check_tlen: pclass=0, ptag=0 Oct 24 15:28:22.298 asn1_check_tlen: ASN1_R_WRONG_TAG Oct 24 15:28:22.298 ASN1_item_ex_d2i: ERR_R_NESTED_ASN1_ERROR Oct 24 15:28:22.298 CertVerify:: cannot convert the DER cert to X509 The problem certificate is attached. (This specific certificate was actually generated by openssl-1.0.0. All my openssl-0.9.8 certificates were having the same issue). I ran the following commands on this certificate, no command indicated error on the certificate: /usr/local/bin/openssl x509 -noout -text -in ssClient100.cert /usr/local/bin/openssl asn1parse -in ssClient100.cert /usr/local/bin/openssl x509 -noout -modulus -in ssClient100.cert /usr/local/bin/openssl rsa -noout -modulus -in ssClientKey100.pem I have been struggling with this error for several days. Your help is greatly appreciated. Thanks Nan
ssClient100.cert
Description: Binary data
