Re: [openssl-users] A self-signed CA certificate in the CA files *sometimes* stops verification working

Tue, 06 Sep 2016 13:53:09 -0700 

Could this be related to the recent work to treat the list of
certificates as a SET of potentially relevant certificates
rather than as an ordered list of certificates that must form
the trust chain?

Reading through the 1.1.0 changelog makes it unclear how much
of this standards-compliance fix has been implemented so far,
and how much of it is included in 1.0.2h.

On 06/09/2016 20:10, John Unsworth wrote:

This seems to me to be very easy to validate by just inserting a self-signed 
certificate at the front of a CAfile that works.

...

-----Original Message-----
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Viktor Dukhovni
Sent: 06 September 2016 18:47
To: openssl-users@openssl.org
Subject: Re: [openssl-users] A self-signed CA certificate in the CA file 
*sometimes* stops verification working



On Sep 6, 2016, at 11:53 AM, John Unsworth <john.unswo...@synchronoss.com> 
wrote:

I have noticed the following behaviour:
1 Create a certificate file with two CA certificates, one for the server being connected to (server A) and one for another server (server B). 
2 Whichever way the CA certificates are ordered the connect works OK.
3 Add a self-signed CA certificate in the file before the one for server A. The 
connect fails ‘Verify return code: 21 (unable to verify the first certificate)’.
4 Move the self-signed CA certificate after the one for server A. The connect 
works OK.
Why should the self-signed certificate affect the connection when the required CA certificate is in the certificate file? Is this a bug? 
You've provided much too little detail for a meaningful answer.

Post the server chain being validated as reported by

    $ openssl s_client -showcerts -connect <server>:443 > chain.pem
    $ openssl crl2pkcs7 -nocrl -certfile chain.pem |
      openssl pkcs7 -print_certs

and all three CA certificates.  Do not post any of the private keys.




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to