Re: [openssl-users] Problem with x509_verify_certificate

Sat, 17 Nov 2018 21:45:51 -0800

I think that the output from s_client (see attached) says that it passed, for both versions.
Also, the output from s_client shows it looking for the correct CA file on both versions (and shows that the file exists), but it only opens the CA file under openssl version "1.0.2j-fips  26 Sep 2016". 



------ Original Message ------
From: Felipe Gasper <[email protected]>
Sent: Sat, 17 Nov 2018 22:23:58 -0500
To: Openssl-users <[email protected]>

Subject: Re: [openssl-users] Problem with x509_verify_certificate

Maybe the set of stores root certificates changed with the update?

Try openssl s_client to debug it?


On Nov 17, 2018, at 8:57 PM, Ken <[email protected] 
<mailto:[email protected]>> wrote:



I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), 
which uses x509_verify_certificate to check the validity of a 
certificate on a RDP server.



Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips  26 
Sep 2016") everything works great.



But, when I upgrade to openSUSE Leap 15.0 (which uses openssl version 
"1.1.0i-fips  14 Aug 2018") I get an error when connecting to servers 
that use publicly-signed certificates:


Certificate details:

        Subject: OU = Domain Control Validated, CN = owa.xxxxx.com 
<http://owa.xxxxx.com>
        Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield 
Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, 
CN = Starfield Secure Certificate Authority - G2
        Thumbprint: 
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
The above X.509 certificate could not be verified, possibly because 
you do not have
the CA certificate in your certificate store, or the certificate has 
expired.
Please look at the OpenSSL documentation on how to add a private CA 
to the store.

Do you trust the above certificate? (Y/T/N)



On both versions, strace shows is it checking for 
/var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the 
correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it 
never opens that file. (With openssl version "1.0.2j-fips  26 Sep 
2016", it does open/read that file, which it seems like it work need 
to, in order to find out if it matches the certificate.)




Any idea what changed? (Or, better question, what needs to be changed 
to make this application work again?)



Thanks,
Ken
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users





openssl s_client -connect owa.xxxxx.com:3389 < /dev/null 
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, 
Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, 
Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure 
Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = owa.xxxxx.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=owa.xxxxx.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure 
Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure 
Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield 
Root Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGNDCCBRygAwIBAgIIXFXbiPD1+PYwDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUw
IwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypo
.
.
.
vpY77wmUtuPlIBBA0vmoLkqm3kLq31Ax9O83BgLCnHUHBfq3UuJSOIjZb9GDzc1L
1r1jePMxklnJFxFMS+D5gJmSNMoOnaop1EtH+8WAsnR16D15mNdtTHEzH106oJaW
KTNa8smgpv+uweIrV68wsctfTK4jMdZXGdIKFy+8sA7T5aRmme0EbFl8Skzc408K
QT7Tk+QwmXU=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=owa.xxxxx.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure 
Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3419 bytes and written 475 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 941A0000A0B1EEA13483B0FEB706B589A9F209BE3358C3A995C4ED1ED59265EE
    Session-ID-ctx: 
    Master-Key: 
A08B359932ACFD5B74136EBB8493F324A70C4CE59031174867ECA8FF03D1A34A641E8217823F5CDDCDC5075E6DA37BA7
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1542518377
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

openssl s_client -connect owa.xxxxx.com:3389 < /dev/null 
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, 
Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, 
Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield Secure 
Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = owa.xxxxx.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=owa.xxxxx.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure 
Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure 
Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield 
Root Certificate Authority - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGNDCCBRygAwIBAgIIXFXbiPD1+PYwDQYJKoZIhvcNAQELBQAwgcYxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUw
IwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypo
.
.
.
vpY77wmUtuPlIBBA0vmoLkqm3kLq31Ax9O83BgLCnHUHBfq3UuJSOIjZb9GDzc1L
1r1jePMxklnJFxFMS+D5gJmSNMoOnaop1EtH+8WAsnR16D15mNdtTHEzH106oJaW
KTNa8smgpv+uweIrV68wsctfTK4jMdZXGdIKFy+8sA7T5aRmme0EbFl8Skzc408K
QT7Tk+QwmXU=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=owa.xxxxx.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, 
Inc./OU=http://certs.starfieldtech.com/repository//CN=Starfield Secure 
Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3423 bytes and written 358 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: F43500001034795A9A20EA524CE9866A31A3869DB075988A7B545593FE557EEB
    Session-ID-ctx: 
    Master-Key: 
1E07E2347032579D218950FB4DE3A15B7A13831405D44157B948D1237C22F6B8B3AE9204352E980765D5476EAF8220E3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1542518370
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users






















					Reply via email to