Hi, we are using OpenSSL 0.9.8k. It's not the command line utility. We are linking against libcrypto and libssl. We load the CA certificates with SSL_CTX_set_default_verify_paths (c_rehash has been executed before), disable the automatic verification by setting SSL_CTX_set_verify to SSL_VERIFY_NONE, to the handshake with BIO_do_handshake, get the server certificate with SSL_get_peer_certificate and then verify the certificate by using SSL_get_verfify_result. The result value of this function is set to X509_V_ERR_CERT_SIGNATURE_FAILURE. The problem seems to be the signature algorithm which is used: sha512WithRSAEncryption.
The CA certificate: -----BEGIN CERTIFICATE----- MIIFXTCCA0WgAwIBAgIQJ2goVVph+bhIJDNPz39sajANBgkqhkiG9w0BAQ0FADBB MRQwEgYKCZImiZPyLGQBGRYEdGVzdDETMBEGCgmSJomT8ixkARkWA3JkcDEUMBIG A1UEAxMLcmRwLXRlc3QtQ0EwHhcNMTMwMTIzMTQwMTMxWhcNMTgwMTIzMTQxMTI5 WjBBMRQwEgYKCZImiZPyLGQBGRYEdGVzdDETMBEGCgmSJomT8ixkARkWA3JkcDEU MBIGA1UEAxMLcmRwLXRlc3QtQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK AoICAQC9KPfTsIOH3fAYVLPibPrF4SWoTfyeAnintp7+Bt1I29CXJFAncFA3oDmc L2DOJxp9X7rDcZ7+pxk9yssaqYQPEUyCxOZ6oeMMyYMlcfWN0bVp30vRl7FxU1nL G2pZLjrbbB1//IoOVKQR4ku2ayAv9ASRFcKojj00MMNwBQukTJhaEDgou7z8UewM OWnzDAtTlHnK+foAHWhFbVAQYjbElyW0nzBbtc0wASq+VuXVSI/usIy81ll2tQyA 7DkoG9p+nKL9tlgtFXkg5K5qM2W4+D9wqZqWJc0qsEIJMi29csj0juCV37eb2ETl 8pAs+0Z7fv6Iw6b9IizpFYMNm7xHCRJw+uyfiudLFPk+gAEkhgtdlsS9qWQaeBY/ yeWLxSrNa3/hLCDhLZ8WZs2OS3RKlJP0Kw++SiAVh0g9+bjJnfvvPQ8h2QvkLF1F xOi/xs2ngtmAQlUusf4Z5mWGa2scy0khLXAC5aGKe10UO4dVKZNcFvREhbzPqtPD AtPRSU9V/tsbjVpMJEQQVfx8yPoujZkOK/VsjxATVI4Sw9Grsx4koTAcbli0fTSm zdgewI/5jqNfR+xmBfGbsuqZ1EYjE8kA5K64rmxhw7b0kFVNWziLk3wKekQxrrqt EMZF+rjMr9fuJjXw2d72yHHnTx/dSdbnKrHgfgPy15Zh8iVlCQIDAQABo1EwTzAL BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6EAyH5hw4hjk 74TpjnsbYq1jv3MwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQENBQADggIB ADfDjc6yq7M3P/tWb0tPU0xaG6xh/o1CPHn5HDUswqMpYN077vO6/ggznWuaTW7C s7r+ApzC97wCiAMIx/RKG5/Z+qQTSjB9kJUcgyxjdGcOxh9ZgU5solzXDwRaudoO VNvlbl4rrRrHZqo/mMUpXTo/89rZ9oX7cZHRk3M2f8ISGBWhnAgb/vabSly43JEp joQWx5Q16BfPlPzBFfPL3o5nhSQ2j1GfTBBuECR3hCFDIKAM3jIYs0AjBQcFwoV1 DY5nr76pN0veYNTtdDEuNtxuM8RIlQzVpPFbIBNG/UUJ0JwjhE0QyPIQF8lzikxd vCjFY9bTmiMEtZQeMjvM3V8jj8d0jFUTRmHLb9XdNYAmp9HOFbbabV7L27PuJB3x 9hp+urUaZ994ltaWBl0CAY8T42s6qoWMJm2RrIyvgqy0khlEFLW+w4jGmkBN0SRt 5E52mu7RfQnVVo2EGQEIMDms19OXpMaRmRf+9TaZ6zAX87cKtzPl7mOnEV6ODhhn WhUoPedLS4R1vy3Hm9Mlh3zFy3JFQc9JUZv/Hr5jen4RcUoSDyTCkk26Jqsz8bg1 1O069rrrbVRWBNb27nyh+4FKQ5xQhpMRrfoHnVbIKleQNBtS4e5OrGggl5tg+lIe LrbwQt4y+hdIH2MTBLrvtr3IWMRKQ1pV3xhkTmqF1gIu -----END CERTIFICATE----- The received server certificate: -----BEGIN CERTIFICATE----- MIIHETCCBPmgAwIBAgIKYW2GkwAAAAAABDANBgkqhkiG9w0BAQ0FADBBMRQwEgYK CZImiZPyLGQBGRYEdGVzdDETMBEGCgmSJomT8ixkARkWA3JkcDEUMBIGA1UEAxML cmRwLXRlc3QtQ0EwHhcNMTMwMjA1MTI1OTQzWhcNMTQwMjA1MTI1OTQzWjAZMRcw FQYDVQQDEw5SRFAzMS5yZHAudGVzdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC AgoCggIBANcbsbmmRVxCsTX8v6rXNeL1kceJyMvCcfpvs5er0AyxCtpQdePF9B7a JHFQl38Hjz8Q+3timn2pnqAl0nQBqaKOceIj/k8NFYcLoQVrg1t6RlXsPO393pWJ pgh1A86SSZM33QyjhuJOLaGZoWLbroDVFujmEBsrCtpNWgz3juMpnnsXf5jQNbT8 h2KDdrY6PVnFV/SU8ogAf5kLMs2KdM8Ro0CFcKr6JUEjXGgUzmMi5/gCKZ2EAWsx /oPl0wPagVNPfjayiDjxE85c5kHw0OTyQC6hJWZk2INVIxdX/GBvre8cbA1JvQUl XKujr7HlLiU5hfokbBNK4wepS+ozQvkDVC/ZLrhT4/7dzJLsm7nvIpJks0Yb/sN+ kCM8+iAyrlLAmLHPKqWN9ssWTCu9qxjcscVFmEdr3wb+iW2jUYRMhKazwRfzznIp X+CO5MV2uFf/taHkCNH8/cC35IgTFjdv/Gj5XSydEZ3qYvrOPjrut0GU1YlY00oR rW+SMu7EHchAbSu93BVCy6pRYcph1HFvexFc1FEEZSB9ATbW+03X/0/oNNdYzsnf oW7h8+S6xIAcOLiiUOBfyVCiPvU5f5TX+mCBeKU6KvL+JEYpmVrShhQtunEiP4OM JmjOaF4XM6S3aR86kWexFLgg+KKBMyGwKYDlbsIFF6q+vW4Tj2/ZAgMBAAGjggIx MIICLTAdBgkrBgEEAYI3FAIEEB4OAE0AYQBjAGgAaQBuAGUwHQYDVR0lBBYwFAYI KwYBBQUHAwIGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUQuYy zpan1x1E+MkoXMvxcnf9bxgwHwYDVR0jBBgwFoAU6EAyH5hw4hjk74TpjnsbYq1j v3MwgcQGA1UdHwSBvDCBuTCBtqCBs6CBsIaBrWxkYXA6Ly8vQ049cmRwLXRlc3Qt Q0EsQ049cmRwMzAsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENO PVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9cmRwLERDPXRlc3Q/Y2VydGlm aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1 dGlvblBvaW50MIG6BggrBgEFBQcBAQSBrTCBqjCBpwYIKwYBBQUHMAKGgZpsZGFw Oi8vL0NOPXJkcC10ZXN0LUNBLENOPUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2 aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXJkcCxEQz10ZXN0 P2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0 aG9yaXR5MBkGA1UdEQQSMBCCDlJEUDMxLnJkcC50ZXN0MA0GCSqGSIb3DQEBDQUA A4ICAQBijnOrxavSdXJ79yg1iivXfZtASj9j4JmbKVioi/r7XTjJTdGrO3WYcx8g iEATIs4OVV/Lkb4ScPtrIsFQWq24k+TuqhftB7y0zChrW8yBgwnVhicjTgvuwL54 uiQ1QlE8AdB4Hz5CsB3zkSBr5lqupxQnKd2PE45L6kXPSA/uMGi2fcvn3k1SC0hy Dh+1oJXl3RadnD0vYjKR12GNLy1jgpimfZLcyVYbxoJ/GmSFwiJmEtN6Gkf6sXa0 URY5n6T9v+1eSHi6X4vdAjhQbFbgE30UYhYNX5DLJsJjt4upN0Q7ZNurdHpNK/Oo npR5Vxpbhr6hKY+b5ZkAMER2HQ11BkD24NejLSY7Db71SMejYIAC1KmkIzksgJ4b 69wSGCqoFNl+XVw8vFpfYpxGnEMb0os8wjrPOudA+AYtrMVB69bgLjXDvNAKT8ov Q8fcT19qsbMJzGtEqxKtTa7i0Q8HTmTt4XY71tq+LQRSXPGrk6YSqOFG3IxWFW3E 376CQ6myX+2WVWvTfwSkHSMKQSWtniT8/DZwTIe8B/LKcOr+3P4PF5wjHToToZuC JdJuKhjBDbZAa6m641uGQ00zDEHsnBNf02cVab3rVc2iy74kwlm2+g6alww+mL3y NXhVmLKj0nHEbYpdY/XfLqipAVaB0RoDFBYfNIQ23rmX/GJ6jA== -----END CERTIFICATE----- Regards, Dominic Dominic Wollner Dipl.-Inf. (FH) Development & Research Linux ___________________________________________________ IGEL Technology - The world’s most advanced thin clients Many Functions. One Device. ® IGEL Technology GmbH Annastr. 11 86150 Augsburg, Germany Email: woll...@igel.com Phone: +49 (0)821 34 32 08 - 233 Fax: +49 (0)821 34 32 08 - 9 www.igel.com - www.igel.de IGEL Technology is a member of the Melchers group. Managing Directors: Heiko Gloge, Nicolas C. S. Helms, Dirk Dördelmann, Andreas Schönduve District Court Bremen (Germany) HRB 20636, VAT: DE 219524359 Confidentiality Note: The information contained in this transmission is legally privileged and confidential, intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you receive this communication in error, please notify us immediately by telephone call to +49 (0)821 34 32 08 - 233 and delete the message. Thank you! Please consider the environment before printing this email or its attachments. Many thanks... -----Ursprüngliche Nachricht----- Von: Stephen Henson via RT [mailto:r...@openssl.org] Gesendet: Donnerstag, 14. Februar 2013 18:24 An: Dominic Wollner Cc: openssl-dev@openssl.org Betreff: [openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails On Thu Feb 14 18:14:37 2013, woll...@igel.com wrote: > Hi, > > there is a problem with certificate verification. Windows allows the > generation of CA certificates which uses RSA-SHA512 as the hash > algorithm. But this hash algorithm is currently not supported by > OpenSSL. Will this issue be fixed in future or is there a workaround > for this? > SHA512 has been supported in OpenSSL for some time. What version are you using and what verification error do you get? If possible please include a sample certificate that fails with the command line utilities. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
rdp-test-CA.pem
Description: Binary data
server.pem
Description: Binary data