Re: [gt-user] OpenSSL CA verification problem

Wed, 19 Sep 2012 04:48:41 -0700 

Thank you very much for your answers,
Joe, I already tried with that and didn't work as I was already using the new 
hashes but the client, when verifying the CA always tried to verify old hashes 
that didn't even exist in the machine.
Luckily, creating the symbolic links for the .0 and .signing_policy as Nikolay 
suggested worked for me.
So, thank you very much for your help!
Asier
> Subject: Re: [gt-user] OpenSSL CA verification problem
> From: [email protected]
> Date: Tue, 18 Sep 2012 09:58:46 -0400
> CC: [email protected]
> To: [email protected]
> 
> We have a tool for that in the globus-openssl-module-progs package called 
> globus-update-certificate-dir which computes the new hashes for sites 
> upgrading from 0.9 to 1.0 and makes those links
> 
> Joe
> 
> On Sep 18, 2012, at 6:49 AM, Asher Spain <[email protected]> wrote:
> 
> > Dear friends,
> > 
> > I'm getting an error verifying the trust in CA due to OpenSSL.
> > I have created using SimpleCA a CA and install its files in my clients 
> > without any problems. However, one of my clients can't verify the CA hash 
> > because it is taking the CA hash as if it was using the old OpenSSL version 
> > which used other hash type. I mean,
> > My CA has the following hash (which is created with OpenSSL 1.0.0e): 
> > c03c42ac
> > However, after installing it in the client (Ubuntu 11.10) and try to use 
> > "grid-proxy-init -debug -verify" it can't verify it as it says it can't 
> > find trust in the CA with hash a784f43d.
> > 
> > I checked that the hash is asking me for is the same hash but calculated 
> > with the old OpenSSL version of my CA:
> > openssl x509 -hash -noout < /etc/grid-security/certificates/c03c42ac.0
> > -> c03c42ac
> > openssl x509 -subject_hash_old -noout < 
> > /etc/grid-security/certificates/c03c42ac.0
> > -> a784f43d
> > 
> > I don't know how to solve this. I found a tool that converts old hash files 
> > into new hash files (http://www.cilogon.org/openssl1) but mines are already 
> > the new ones so it makes no change and the error remains. I have tried to 
> > uninstall libssl0.9.8 but it uninstalls grid-proxy-utils as well and if 
> > reinstall the package it installs libssl0.9.8.
> > What can I do to avoid this problem?
> > 
> > Thanks in advance!
> > 
> > Asier
>

Reply via email to