George Staikos wrote:
>
> As some of you may know, KDE uses OpenSSL for Konqueror. Lately, we have
> been noticing new "Class 3" certificates from Verisign which OpenSSL seems to
> be choking on. I have attached the CA root files in DER form, along with
> some example certificates presented by various sites. Another one that
> behaves the same is Equifax Secure eBusiness CA-2 issued certificates. I
> even tried OpenSSL 0.9.6a and 0.9.5a command line util to try to verify these
> against the CA file and it just gives errors of various sorts. Looking at
> the text forms, it seems that it just can't parse it properly. Does anyone
> have any ideas what could be up? (Other CA's seem to work fine)
>
I partially answered this in openssl-users, though it may not have made
it to the list.
The output is not corrupt. Thats the default behaviour when an unhandled
extension is encountered, a rather crude ASCII dump of the DER encoded
extension, largely for compatibility with SSLeay. In this case its the
use of deprecated or proprietary extensions which OpenSSL doesn't
support. You can modify this behaviour using the x509 command line
option 'certopt'. 'ext_error' will just say which extensions are
unsupported while 'ext_parse' will give some indication of their
contents by attempting to ASN1 parse the result.
If OpenSSL really couldn't parse the cerificate you'd have no output at
all.
Wrt the verify "problem" what errors do you get and what command line
options are you using?
AFAICs there are some intermediate CAs missing and some root CAs that
don't match in the archive you've given. For example:
ibm.pem issuer is:
issuer= /C=US/O=Equifax Secure Inc/CN=Equifax Secure E-Business CA-2
whereas cert.26.der is:
subject= /C=US/O=Equifax Secure/OU=Equifax Secure eBusiness CA-2
which isn't the same. Similarly the file 'wellsfargo.pem' has issuer:
issuer= /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref.
LIABILITY LTD.(c)97 VeriSign
which isn't in the archive at all. You can however get it from the site
using the -showcerts option to s_client but you shouldn't really need it
because OpenSSL now supports chain verification.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
