On Sun, Jan 18, 2015 at 04:08:38PM +0100, Daniel Kahn Gillmor via RT wrote: > > this suggests that Uri is reporting a regression in 1.0.1k and 1.0.1l. > I haven't tested those version yet.
The change in behaviour seems to be this commit: commit a8565530e27718760220df469f0a071c85b9e731 Author: Dr. Stephen Henson <st...@openssl.org> Date: Sat Dec 20 15:09:50 2014 +0000 Fix various certificate fingerprint issues. [...] 2. Check certificate algorithm consistency. Check the AlgorithmIdentifier inside TBS matches the one in the certificate signature. NB: this will result in signature failure errors for some broken certificates. [...] (The order of the commits is wrong resulting in it not building because of the missing X509_ALGOR_cmp that's added in the next commit.) The backtrace is: #0 ASN1_TYPE_cmp (a=0x944240, b=0x0) at a_type.c:118 #1 0x0000000000524e4b in X509_ALGOR_cmp (a=0x9409a0, b=0x939d80) at x_algor.c:154 #2 0x00000000005484c7 in X509_verify (a=0x939a50, r=0x945360) at x_all.c:75 #3 0x00000000005433eb in internal_verify (ctx=0x939300) at x509_vfy.c:1637 #4 0x0000000000540d37 in X509_verify_cert (ctx=0x939300) at x509_vfy.c:367 #5 0x0000000000404328 in check (ctx=0x937f60, file=0x7fffffffee1c "/home/kurt/RabbitMQ_Test.pem", uchain=0x0, tchain=0x0, crls=0x0, e=0x0) at verify.c:294 #6 0x0000000000404065 in verify_main (argc=1, argv=0x7fffffffeba8) at verify.c:234 #7 0x000000000040304a in do_cmd (prog=0x9328d0, argc=4, argv=0x7fffffffeb90) at openssl.c:491 #8 0x0000000000402cd8 in main (Argc=4, Argv=0x7fffffffeb90) at openssl.c:382 Kurt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev