Dear OpenSSL developers, There are two bugs (1311 & 1422) about X509_NAME_cmp in the RT database, both discussing that X509_NAME_cmp is not a valid metric anymore:
a < b && a < c does not mean that a < c While this problem might seem minor (the two bugs were reported back in 2006 and are not even targeted for a release) they can actually cause X.509 certificate validation to fail. This failure is subtle and difficult to track down: error reports do not help much as the only error reported back to the application is "unable to get local issuer certificate" even though the trusted CA certificate is in the proper place. In my case I was loading 123 CA certificates to an X509_STORE and the subsequent X.509 certificate validation failed, even though the trusted root CA that signed the certificate being validated was there. The solution was to remove one of CA certificates (seemingly randomly). The problem is that X509_STORE->objs is a sorted stack and lookups perform a binary search on it. However since X509_NAME_cmp() is broken, this lookup does not always work. This affects all applications that use a large number of CA certificates and which care about loading all those certificates themselves instead of relying on X509_LOOKUP_hash_dir() Please consider increasing the priority of this bug. Thanks in advance, -- Bazsi ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]