Dr Stephen Henson wrote:
>
> Ben Laurie wrote:
> >
> > Just noticed:
> >
> > make test ends with:
> >
> > test sslv3 with server authentication
> > server authentication
> > depth=1 error=24 /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA
> > (1024 bit)
> > ERROR in CLIENT
> > 26942:error:14090086:SSL
> > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> > failed:s3_clnt.c:764:
> > Protocol SSLv3, cipher (NONE), (NONE)
> > 1197 file=stack.c, line=117, number=20, address=0009A7C0
> > 1195 file=stack.c, line=117, number=20, address=0009A700
> > 1200 file=stack.c, line=119, number=16, address=0009A8A0
> > 1199 file=stack.c, line=117, number=20, address=0009A840
> > 1196 file=stack.c, line=119, number=16, address=0008F300
> > 1198 file=stack.c, line=119, number=16, address=0009A820
> > 108 bytes leaked in 6 chunks
> > *** Error code 1
> >
> > I presume coz of new chain verification stuff? Haven't got time to look
> > into it now, though.
> >
>
> Yeah good isn't it?
>
> It is the new verify code and its because the test CA has a chain length
> of three and it doesn't have any extensions. Its basically throwing out
> the chain because the intermediate CA isn't a valid CA.
>
> There are a lot of broken certificates out there, there also appear to
> be a lot of broken certificates in there as well :-)
>
> I'll fix up the test CAs so they really are CAs.
Probably good to have some that _do_ fail, but make the failure a pass.
As it were.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
