Bodo Moeller wrote:
>
> On Fri, Sep 22, 2000 at 03:31:06PM +0200, Lutz Jaenicke wrote:
>
> > I just tried Postfix/TLS 0.9.6 and found problems with certificate
> > verification:
> > 0.9.6 returned X509_V_ERR_SUBJECT_ISSUER_MISMATCH on a completely valid
> > certificate. [...]
>
> Do you use a verify_callback? I'm working over a rather slow
> SSH connection right now and so cannot easily look at all the relevant
> code, but line 156 in x509_vfy.c looks suspicious to me --
> it uses check_issued just to determine wether the chain is complete
> (a self-signed cert has been reached), and check_issued calls
> the callback if this is not the case. But since this is not
> the verification stage, just preparation for it, I don't think
> the callback should be called. Steve?
Well the point of that stuff is to allow a log of all the extra checks
being made. Things that were tolerated before (such as mismatched key
ids) are not tolerated now.
The callback will not be called with those extra checks unless the flag
X509_V_FLAG_CB_ISSUER_CHECK is set because a callback
*really* needs to know what it is doing if it is going to override the
issuer and subject certificate mismatch errors.
However I think on reflection it should go one step further and not
set the error condition at all for these informational errors unless
the flag is set. That way it should be largely compatible with the
old behaviour. Fortunately that is a trivial change.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
