[[EMAIL PROTECTED] - Thu Jan 30 09:28:31 2003]: > > > > Hi > > Our's is a Proxy Server SSL enabled multithreaded application. > We are running on solaris operating system. > we are using OpenSSL library [ openssl-0.9.6 ] > we have serverCA and root CA certificate at the Proxy server > application. > our application dumps in "ssl_connect" during certificate chain > verification. > Here the Certificate chain is Root CA---> ServerCA ----- server > > What all certficates do we need at the proxy server application to > validate > the above certificate chain. > > The gdb traces are as follows. > > #0 0x0039d424 in X509_NAME_cmp (a=0x14291d0, b=0x1404c18) at > x509_cmp.c:173 > 173 j=na->value->length-nb->value->length; > (gdb) bt > #0 0x0039d424 in X509_NAME_cmp (a=0x14291d0, b=0x1404c18) at > x509_cmp.c:173 > #1 0x003b14fc in X509_check_issued (issuer=0x7a5fb8, > subject=0x6bbea8) at > v3_purp.c:528 > #2 0x0039eca0 in check_issued (ctx=0xfe8075d8, x=0x6bbea8, > issuer=0x7a5fb8) at x509_vfy.c:339 > #3 0x003a2728 in X509_STORE_CTX_get1_issuer (issuer=0xfe807560, > ctx=0xfe8075d8, x=0x6bbea8) at x509_lu.c:500 > #4 0x0039e87c in X509_verify_cert (ctx=0xfe8075d8) at x509_vfy.c:243 > #5 0x00355e64 in ssl_verify_cert_chain (s=0x8a2498, sk=0x5ae238) at > ssl_cert.c:472 > #6 0x00364218 in ssl3_get_server_certificate (s=0x8a2498) at > s3_clnt.c:832 > #7 0x0036298c in ssl3_connect (s=0x8a2498) at s3_clnt.c:268 > #8 0x00350fe0 in SSL_connect (s=0x8a2498) at ssl_lib.c:718 > #9 0x000cc4a0 in Sdf_cl_NetworkManager::sslConnect (this=0x5f5c50, > pConnMapElem=0x1a46c20, pErr=0xfe807b30) > at source/networkmanager/src/sdftlsnetwork.cpp:1565 > #10 0x000cb4b8 in Sdf_cl_NetworkManager::tlsSelectThread > (this=0x5f5c50) > at source/networkmanager/src/sdftlsnetwork.cpp:1015 > #11 0x000c9ed0 in Sdf_fn_startTlsSelectThread (pParam=0x5f5c50) > at source/networkmanager/src/sdftlsnetwork.cpp:199 > Current language: auto; currently c > > > > Can anyone help us in figuring out the problem. (reason for core > dump). >
The fields in X509_NAME_cmp should be valid so this looks a bit odd. Does the OpenSSL s_client also crash when you connect to this server? What happens when you try: openssl verify -CAfile rootca.pem -untrusted serverca.pem server.pem does that crash? What if you concatenate the two CAs and try: openssl verify -CAfile cas.pem -untrusted server.pem If neither s_client nor verify crash then it could be an application error of some sort. If both crash then you may have a weird certificate that confuses OpenSSL. If that is the case could you send me the chain? Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
