I looked at the latest "[STATUS] OpenSSL (Sun 18-Jul-1999)" but didn't
see this mentioned.
x509.c says:
: /* don't save DSA parameters in child if parent has them
: * and the parents and the childs are the same. */
: upkey=X509_get_pubkey(x);
: if (!EVP_PKEY_missing_parameters(pkey) &&
: (EVP_PKEY_cmp_parameters(pkey,upkey) == 0))
: {
: EVP_PKEY_save_parameters(upkey,0);
: /* Force a re-write */
: X509_set_pubkey(x,upkey);
: }
That makes sense. However, the x509 app saves DSA keys if and only if
the parent and child DSA params are the *same*. I use gendh to make
DH params, then dsaparam to make DSA params, then use req and x509 to
sign a certificate. If I use different DH and DSA params file for the
CA certificate and the cert request, the resulting cert does not have
DSA parameters (as displayed by x509 -text). Using these certs with
s_server and s_client, the s_client app gives the error:
20598:error:140900EF:SSL routines:SSL3_GET_SERVER_CERTIFICATE:unable to find
public key parameters:s3_clnt.c:783:
If I use the same DH and DSA param files for both the CA cert and the
request then s_client connects perfectly.
I believe the test against EVP_PKEY_cmp_parameters() in the above code
is exactly opposite. Looking at the implementation, it seems that
function returns 0 if the two parameters are different.
If I'm wrong then I really don't understand the reason for the
s_client error. Can someone enlighten me?
David Marwood
----------------------------------------------------------------------
David Marwood, M.Sc. [EMAIL PROTECTED]
Director, Internet Technologies Phone: 604-921-5993
InfraNet Solutions Fax: 604-921-5909
West Vancouver, BC, Canada
----------------------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
