> [[email protected] - Fri Feb 27 20:34:24 2009]: > > From: Jeff Wu <[email protected]> > Date: Thu, Feb 26, 2009 at 4:41 PM > Subject: "openssl verify -CAfile mutil_ca.pem site.cert" fails even if > mutil_ca.pem contains the chain for site.cert > To: [email protected] > > > Verification fails even if the CAfile contains the CA root > certificates chain > for the site cert. > > Steps: > > I have a CAfile.pem (all these files attached in testfiles.tgz) > contains lots of CA root certificates. > I run the following command > > $ apps/openssl verify -CAfile CAfile.pem aol.cert > aol.cert: /C=US/ST=Virginia/L=Dulles/O=AOL LLC/OU=Portal > Services/CN=www.aol.com > error 20 at 0 depth lookup:unable to get local issuer certificate > > $ apps/openssl verify -CAfile CAfile.pem akamai.cert > akamai.cert: OK > > Then I append aolca.pem(AOL Member CA) in the end of CAfile.pem, > rename it > to CAfile2.pem > $ cat CAfile.pem aolca.pem > CAfile2.pem > > and run the following commands > > $ apps/openssl verify -CAfile CAfile2.pem aol.cert > aol.cert: OK > > $ apps/openssl verify -CAfile CAfile2.pem akamai.cert > akamai.cert: /C=US/O=Akamai Technologies, Inc./CN=a248.e.akamai.net > error 20 at 0 depth lookup:unable to get local issuer certificate > > The verification for aol.cert passes as expected, but failing to > verify > akamai.cert is unexpected. > > If I configure/compile openssl with "-d" option, openssl will fail to > load the > CAfile.pem > > $ apps/openssl verify -CAfile CAfile.pem akamai.cert >
Please try this against a recent snapshot of 0.9.8-stable. An update to X509_NAME_cmp which was applied recently should address this. Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
