Ben Laurie wrote:
>
> Just noticed:
>
> make test ends with:
>
> test sslv3 with server authentication
> server authentication
> depth=1 error=24 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA
> (1024 bit)
> ERROR in CLIENT
> 26942:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:764:
> Protocol SSLv3, cipher (NONE), (NONE)
> 1197 file=stack.c, line=117, number=20, address=0009A7C0
> 1195 file=stack.c, line=117, number=20, address=0009A700
> 1200 file=stack.c, line=119, number=16, address=0009A8A0
> 1199 file=stack.c, line=117, number=20, address=0009A840
> 1196 file=stack.c, line=119, number=16, address=0008F300
> 1198 file=stack.c, line=119, number=16, address=0009A820
> 108 bytes leaked in 6 chunks
> *** Error code 1
>
> I presume coz of new chain verification stuff? Haven't got time to look
> into it now, though.
>
Yeah good isn't it?
It is the new verify code and its because the test CA has a chain length
of three and it doesn't have any extensions. Its basically throwing out
the chain because the intermediate CA isn't a valid CA.
There are a lot of broken certificates out there, there also appear to
be a lot of broken certificates in there as well :-)
I'll fix up the test CAs so they really are CAs.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
