Hi, I have been compiling openssl libraries on RHEL5 for a while without issue. My build for 1.0.2k fails on a new RHEL7 server. I have narrowed down the cause to the make_verify test.
make verify_test # from test dir The following command should have some OK's and some failures There are definitly a few expired certificates ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo ../certs/demo/*.pem ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit) error 20 at 0 depth lookup:unable to get local issuer certificate ../certs/demo/dsa-ca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = CA error 20 at 0 depth lookup:unable to get local issuer certificate 140692788688576:error:0B06E06B:x509 certificate routines:X509_get_pubkey_parameters:unable to find parameters in chain:x509_vfy.c:2108: ../certs/demo/dsa-pca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA error 18 at 0 depth lookup:self signed certificate C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA error 10 at 0 depth lookup:certificate has expired OK ../certs/demo/pca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit) error 18 at 0 depth lookup:self signed certificate C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit) error 10 at 0 depth lookup:certificate has expired OK make: *** [test_verify] Error 2 It seems to boil down to the following OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo ../certs/demo/ca-cert.pem WARNING: can't open config file: ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit) error 20 at 0 depth lookup:unable to get local issuer certificate echo $? 2 Doing the same on my RHEL5 box. OPENSSL_CONF= LD_LIBRARY_PATH=.. ../apps/openssl verify -CApath ../certs/demo ../certs/demo/ca-cert.pem WARNING: can't open config file: ../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test PCA (1024 bit) error 10 at 1 depth lookup:certificate has expired C = AU, ST = Queensland, O = CryptSoft Pty Ltd, CN = Test CA (1024 bit) error 10 at 0 depth lookup:certificate has expired OK echo $? 0 Any clue why openssl verify does not work on RHEL7? ca-cert.pem is issued by pca-cert.pem (matching Authority Key Identifier). Both are under ../certs/demo. Thanks. -- Philippe Anctil
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
