[BUG] X509_V_ERR_SUBJECT_ISSUER_MISMATCH weirdness

Fri, 22 Sep 2000 06:29:17 -0700 

Hi!

I know we are already in beta3, but...
I just tried Postfix/TLS 0.9.6 and found problems with certificate
verification:
0.9.6 returned X509_V_ERR_SUBJECT_ISSUER_MISMATCH on a completely valid
certificate. If my analysis is correct, the following happens:
All certificates are in one CAfile and when looking up the CA certificate
in question, crypto/x509/x509_vfy.c:find_issuer runs through the
stack formed from the entries in CAfile. Since the certificate is
however not the first one in the file, the check in
crypto/x509/x509_vfy.c:check_issuer fails and
X509_V_ERR_SUBJECT_ISSUER_MISMATCH is written into ctx->error

This does lead to the following problem: even if I would use the callback
to ignore this error, any value that would have been written into
ctx->error is overwritten and ignoring in the callback would mean
"ctx->error=X509_V_OK".
As only the last entry in ctx->error is available and older entries
are overwritten, the resulting question is the following:

- Is X509_V_ERR_SUBJECT_ISSUER_MISMATCH guaranteed to be always the first
  item checked, so that no other important verify errors are overwritten
- If this is the case, X509_V_ERR_SUBJECT_ISSUER_MISMATCH is to be considered
  equivalent to X509_V_OK.
  -> In this case I have to change the documentation in SSL_get_verify_result()
     to point out this behaviour
     -> Documentation bug
- If this is not guaranteed, this "informational" error overwrites more
  important messages, so that the SSL_get_verify_result() becomes useless.

How is this functionality to be used? I breaks compatibility anyhow and should
be explicitely mentioned in the NEWS-flash!!

[For Postfix/TLS I just wrote a workaround and maintain my own verify-error
store based on the callback...]

Best regards,
        Lutz
PS. The same of applies for the other two new issuer-checks, but they are
not triggered by this effect.
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to