Re: Bug in certificate code?

Thu, 26 Jul 2001 13:39:10 -0700 

On Thursday 26 July 2001 14:15, Dr S N Henson wrote:

> I partially answered this in openssl-users, though it may not have made
> it to the list.

   Sorry I didn't see a post from you... perhaps it got lost.

> The output is not corrupt. Thats the default behaviour when an unhandled
> extension is encountered, a rather crude ASCII dump of the DER encoded
> extension, largely for compatibility with SSLeay. In this case its the
> use of deprecated or proprietary extensions which OpenSSL doesn't
> support. You can modify this behaviour using the x509 command line
> option 'certopt'. 'ext_error' will just say which extensions are
> unsupported while 'ext_parse' will give some indication of their
> contents by attempting to ASN1 parse the result.
>
> If OpenSSL really couldn't parse the cerificate you'd have no output at
> all.

  Ok I understand that..

> Wrt the verify "problem" what errors do you get and what command line
> options are you using?

   openssl verify -CAfile ca-cert-bundle.pem ibm.pem  

   All the problem certificates say "unable to load certificate file".  If I 
try to verify the certificate during the SSL negotiation phase in Konqueror, 
it says "Issuer is unknown or invalid".  Now I'm using the exact cert7.db 
that netscape has and it doesn't have this problem.

> AFAICs there are some intermediate CAs missing and some root CAs that
> don't match in the archive you've given. For example:

    Yes I guess those weren't correct.  They are "almost" the same.  Strange 
that they would create new ones with almost the same object values.  Anyhow, 
I don't see anything else similar.

> which isn't in the archive at all. You can however get it from the site
> using the -showcerts option to s_client but you shouldn't really need it
> because OpenSSL now supports chain verification.

   Does netscape do this?  I tried straceing netscape and didn't see it get 
this file to my knowledge.  (perhaps I missed it somehow)

   Do I need to be using X509_STORE_CTX_trusted_stack or "issuer checks" as I 
see in verify.c in order to make this work?  Right now I just do 
X509_STORE_add_lookup(mycertfile, X509_LOOKUP_file());, then init the store 
and do X509_verify_cert().  Only these two issuers are causing problems for 
me right now.  All others seem to work just fine.

-- 

George Staikos

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to