On Wed, Jun 26, 2013 at 05:29:52PM +0200, Marios Makassikis wrote:
> >> By enabling debug information in the program, I was able to obtain
> >> these error messages:
> >>
> >> pppd[2236]: EAP-TLS SSL error stack:
> >> pppd[2236]: error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP
> >> lib
> >>
> >> and
> >>
> >> err: 7 (certificate signature failure)
The error "certificate signature failure" happens only when the
public key of an issuer certificate in the chain does not generate
a matching signature for its child certificate. Either the trust
store (CAfile, CApath, ...) certificates are not identical in the
two test cases, or one of the two parties sends a different chain,
or the handshake is somehow corrupted.
crypto/x509/x509_vfy.c:
internal_verify():
...
else if (X509_verify(xs,pkey) <= 0)
{
ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
Look closely with wireshark at the chains captured on the machine
where the error is detected. Are the peer certificate chains the
same in every detail between the two library versions?
Are both cases using compression? Any other differences?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
