Geoff Thorpe wrote:
>
> Hi there,
>
> As I'd mentioned a while back, there seems to be some form of behavioural
> change in the machinery underneath SSL_CTX_load_verify_locations that has
> it spitting tacks where previously it was happy. As far as I can spot,
> this affects ssltest, s_server, s_client, and four different parts of
> Ralf's mod_ssl (the only other OpenSSL-based source I could readily grep
> without expending more effort than I have available).
>
> Eg. if you call;
>
> ./openssl s_client -cert somecert.pem -CAfile someca.pem -state -connect
> .....[etc]
>
> and someca.pem contains only a valid CA cert (no CRL), then you should get
> hit with;
>
> 11495:error:0906D06C:PEM routines:PEM_read_bio:no start
>line:pem_lib.c:639:Expecting: X509 CRL
> 11495:error:0B070009:x509 certificate routines:X509_load_crl_file:missing asn1
>eos:by_file.c:229:
>
> This is on a pretty recent snapshot but I tracked the problem a while back
> to having been introduced Oct 26-27 or thereabouts. It seems (not worth
> believing without checking for yourself) that the CA cert *is* added into
> the SSL_CTX ok but the errors still get thrown out and
> SSL_CTX_load_verify_locations returns with an error code (which is where
> s_server and s_client continue ok because I think they ignore it). Any
> thoughts?
>
Try a newer snapshot. I believe I've addressed this issue. I've been
doing all manner of weird things with the verify code lately so check it
quick before I break it again :-)
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
