> On Nov 26, 2018, at 1:08 PM, Ken wrote:
>
> Is it "better" to use
>
> X509_STORE_CTX_set_default(csc, "ssl_server");
This does take care of all the niggly details, but see below...
> or something more like
>
> purpose = X509_PURPOSE_SSL_SERVER;
> verify_param = X509_STORE_CTX_get0_param(csc
52 -0800
To: Openssl-users
Subject: Re: [openssl-users] Problem with x509_verify_certificate
Hi Viktor,
It looks like FreeRDP was not setting a purpose when checking the
certificate, causing this issue. I added:
X509_STORE_CTX_set_default(csc, "ssl_server");
before the call to
if (X5
Hi Viktor,
It looks like FreeRDP was not setting a purpose when checking the
certificate, causing this issue. I added:
X509_STORE_CTX_set_default(csc, "ssl_server");
before the call to
if (X509_verify_cert(csc) == 1)
and this seems to make it work. I don't know if this is a "good" way to
f
On Wed, Nov 21, 2018 at 11:36:46AM -0800, Ken wrote:
> I tested using s_client, on both systems, with no options, with CAfile
> pointing to the correct CA, and with CAfile pointing to the WRONG CA
> file - the only time it failed was on the new version, with the wrong
> file. (Results attached.
18 08:56:58 -0500
To: Openssl-users
Subject: Re: [openssl-users] Problem with x509_verify_certificate
On Nov 20, 2018, at 1:31 AM, Ken wrote:
Are you saying to test with "openssl s_client -connect ..."?
Test both with s_client and with your application if possible.
In both cases conf
> On Nov 20, 2018, at 1:31 AM, Ken wrote:
>
> Are you saying to test with "openssl s_client -connect ..."?
Test both with s_client and with your application if possible.
In both cases configure the CApath empty and the CAfile to hold
just the appropriate trust anchor. If your application does n
: Openssl-users
Subject: Re: [openssl-users] Problem with x509_verify_certificate
On Nov 19, 2018, at 1:15 AM, Ken wrote:
There are no stale intermediate certificates on my computer.
The evidence suggests otherwise.
Also, strace shows that it is looking for the correct CA certificate
> On Nov 19, 2018, at 1:15 AM, Ken wrote:
>
> There are no stale intermediate certificates on my computer.
The evidence suggests otherwise.
> Also, strace shows that it is looking for the correct CA certificate
> (/var/lib/ca-certificates/openssl/4bfab552.0), and being told that it
> exists
it
exists - but with the newer version of openssl, it never tries to open
the CA certificate (the older version does).
-- Original Message --
From: Viktor Dukhovni
Sent: Sun, 18 Nov 2018 01:00:50 -0500
To: Openssl-users
Subject: Re: [openssl-users] Problem with x509_verify_certificate
M
In that case, remove stale, possibly expired intermediate CAs from
your CAfile/CApath as mentioned in an earlier message. Then c_rehash
once more.
> On Nov 19, 2018, at 1:03 AM, Ken wrote:
>
> "c_rehash" did not make any difference.
--
Viktor.
--
openssl-users mailing list
To unsubs
"c_rehash" did not make any difference.
-- Original Message --
From: Viktor Dukhovni
Sent: Sun, 18 Nov 2018 00:54:46 -0500
To: Openssl-users
Subject: Re: [openssl-users] Problem with x509_verify_certificate
I would suggest running "c_rehash" on the directory, m
Most likely there's a stale (expired) copy of the intermediate certificate in
question in the trust store, but the peer (server) sent an unexpired version
in the handshake. The solution is to remove the stale intermediate from
the trust store.
> On Nov 17, 2018, at 8:57 PM, Ken wrote:
>
> I use
I would suggest running "c_rehash" on the directory, making sure it is
the c_rehash for OpenSSL 1.1.x, and not some other version.
> On Nov 17, 2018, at 8:57 PM, Ken wrote:
>
> On both versions, strace shows is it checking for
> /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is
2016".
-- Original Message --
From: Felipe Gasper
Sent: Sat, 17 Nov 2018 22:23:58 -0500
To: Openssl-users
Subject: Re: [openssl-users] Problem with x509_verify_certificate
Maybe the set of stores root certificates changed with the update?
Try openssl s_client to debug it?
Maybe the set of stores root certificates changed with the update?
Try openssl s_client to debug it?
> On Nov 17, 2018, at 8:57 PM, Ken wrote:
>
> I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), which
> uses x509_verify_certificate to check the validity of a certificate on
I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP),
which uses x509_verify_certificate to check the validity of a
certificate on a RDP server.
Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips 26 Sep
2016") everything works great.
But, when I upgrade to openSU
16 matches
Mail list logo
