On 10/31/2014 03:24 PM, Dave Thompson wrote: >> From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org >> Sent: Thursday, October 30, 2014 14:50 > >> I have... root_ca.pem ... self-signed ... issued host_ca.pem ... >> I would expect the two to form a valid chain. And indeed, >> verification succeeds: > >> ... openssl verify -CAfile root_ca.pem host_ca.pem >> host_ca.pem: OK > >> However, if I add -issuer_checks to the command line, I get errors: > >> openssl verify -CAfile root_ca.pem -issuer_checks host_ca.pem >> host_ca.pem: C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, >> OU = Network Administration, CN = K\C3\B6ller Family Host Signing Certificate >> error 29 at 0 depth lookup:subject issuer mismatch >> C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network >> Administration, CN = K\C3\B6ller Family Host Signing Certificate >> error 29 at 0 depth lookup:subject issuer mismatch >> C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network >> Administration, CN = K\C3\B6ller Family Host Signing Certificate >> error 29 at 0 depth lookup:subject issuer mismatch >> OK > >> Next, I look at the subject and issuer fields of both certificates, and >> find them to be matching: <snip> >> Am I wrong to expect the verify command to succeed without errors in >> this case, even with -issuer_checks? I am attaching the two certificates, >> in case someone wants to investigate the problem. > > As the manpage says: > Print out diagnostics relating to searches for the issuer certificate of the > current certificate. > This shows why each candidate issuer certificate was rejected. The presence of > rejection messages does not itself imply that anything is wrong; during > the normal verification process, several rejections may take place. >
I assumed that this applies to the case of the certificate being checked against multiple candidate issuer certificates, some of them not matching the certificate being checked. However, in my case, there is exactly one issuer certificate, and it _does_ match the one tested. > In particular, although the manpage doesn't say so, X509_verify_cert > checks several(!) times whether your cert is self-issued, only to find it > isn't, > causing the "errors" you see in this case. If verify with -issuer_checks returns errors even if there are exactly two certificates involved and the issuer matches the cert tested, then I feel tempted to say that this option is not terribly useful, because it will always report errors and will never succeed, > > The result is "OK"; the "errors" should be ignored. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
