Asher Spain wrote on 18/09/12 14:49:
Dear friends,
I'm getting an error verifying the trust in CA due to OpenSSL.
I have created using SimpleCA a CA and install its files in my clients without
any problems.
However, one of my clients can't verify the CA hash because it is taking the CA
hash as if it was
using the old OpenSSL version which used other hash type. I mean,
My CA has the following hash (which is created with OpenSSL 1.0.0e): c03c42ac
However, after installing it in the client (Ubuntu 11.10) and try to use
"grid-proxy-init -debug
-verify" it can't verify it as it says it can't find trust in the CA with hash
a784f43d.
I checked that the hash is asking me for is the same hash but calculated with
the old OpenSSL
version of my CA:
openssl x509 -hash -noout < /etc/grid-security/certificates/c03c42ac.0
-> c03c42ac
openssl x509 -subject_hash_old -noout <
/etc/grid-security/certificates/c03c42ac.0
-> a784f43d
I don't know how to solve this. I found a tool that converts old hash files
into new hash files
(http://www.cilogon.org/openssl1) but mines are already the new ones so it
makes no change and the
error remains. I have tried to uninstall libssl0.9.8 but it uninstalls
grid-proxy-utils as well and
if reinstall the package it installs libssl0.9.8.
What can I do to avoid this problem?
AFAIK, one of the possible workaround is to create symlinks for old hashes to new ones or
vice-versa. E.g.
$ ln -s /etc/grid-security/c03c42ac.0 /etc/grid-security/a784f43d.0
and repeat these steps for all CA credentials files like *.crl_url, *.r0, etc).
Hope it helps,
Nikolay.
Thanks in advance!
Asier
