Thank you very much. I appreciate your extra effort. -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, May 09, 2012 6:38 AM To: openssl-users@openssl.org Subject: Re: FAILED:unable to get local issuer certificate
On Tue, May 08, 2012, dave.mclel...@emc.com wrote: > Hi Dr. Steve: can I get clarification on your note about the '...link > algorithm has changed...'? > > Does this refer to the hash computed over a certificate which is needed when > using SSL_CTX_load_verify_locations(pCtx, NULL, path_to_verify_directory)? > > I discovered (and resolved) this in testing 1.0.1 recently, upgrade from > 0.9.8r, I just want to confirm this is the issue you mentioned. > Yes. The old algorithm was computed over the raw encoding the a DN using MD5 this meant equivalent DNs with different encodings wouldn't work and special exceptions had to be made for FIPS140-2 mode. The new version uses an canonical encoding of the DN using SHA1 instead. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
