On Fri Apr 18 09:00:12 2014, satis...@mportal.com wrote: > We are not sure if it is a Apple iOS bug. Below is our observation. > - If we sign the profile using the 0.9.8 version, and download the > profile from an https location, the iOS profile installer shows the > profile as "Verified" > - If we sign the same profile using the > 1.0.1 version and download the profile from an https location, the > iOS profile installer shows the profile as "Not verified" > > The > only difference between these two versions of openSSL visibly is, > the order in which the certificate is listed in the profile. Is > there a difference in these two versions that causes the difference > in this certificate listing order? Is there a way we can make the > order same to make it work while still using the latest version > 1.0.1 of openSSL? >
Well technically the order should be irrelevant as it is an ASN.1 SET OF construct so it's a bug in the implementation. However there is a workaround which requires a minor code modification. In the file pk7_smime.c in the function PKCS7_sign comment out the line: if(!(flags & PKCS7_NOCERTS)) (so certificates are added unconditionally). This is IMHO a bug because the behaviour of PKCS7_sign with PKCS7_NOCERTS doesn't match the documented behaviour. It is only documented to exclude the signer's certificate, not all certificates (and if you want to exclude everything you'd just pass a NULL for the additional certificates). Then your command line needs to be modifed to include the -nocerts option and include all certificates (including the signer) in the correct order passed to the -certfile option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org