Hi Steve, I've attached three certificate collections: two that fail (where subject == issuer) and one that works around the problem (where subject != issuer). In my personal testing (on OS X), OpenSSL 0.9.8zd (installed by the OS) works on all three collections, whereas OpenSSL 1.0.2d (installed via MacPorts) fails on the fail*.tar.gz ones. You can see the problem with the following:
% tar xpvf ~/Desktop/fail1.tar.gz x tls/ x tls/ca.pem x tls/cakey.pem x tls/cert.pem x tls/hostnames x tls/key.pem x tls/server.pem x tls/serverkey.pem % openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \ > -CAfile tls/ca.pem -tls1 & ... % openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \ > -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works depth=1 /O=Boot2Docker verify return:1 depth=0 /O=Boot2Docker verify return:1 ... % openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \ > -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # fails depth=0 O = Boot2Docker verify error:num=18:self signed certificate verify return:1 depth=0 O = Boot2Docker verify error:num=21:unable to verify the first certificate verify return:1 ... % tar xpvf ~/Desktop/fail2.tar.gz x tls/ x tls/ca.pem x tls/cakey.pem x tls/cert.pem x tls/hostnames x tls/key.pem x tls/server.pem x tls/serverkey.pem % openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \ > -CAfile tls/ca.pem -tls1 & ... % openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \ > -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works depth=1 /O=b2d verify return:1 depth=0 /O=b2d verify return:1 ... % openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \ > -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # fails depth=0 O = b2d verify error:num=18:self signed certificate verify return:1 depth=0 O = b2d verify error:num=21:unable to verify the first certificate verify return:1 ... % tar xpvf ~/Desktop/succ.tar.gz x tls/ x tls/ca.pem x tls/cakey.pem x tls/cert.pem x tls/hostnames x tls/key.pem x tls/server.pem x tls/serverkey.pem % openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \ > -CAfile tls/ca.pem -tls1 & ... % openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \ > -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works depth=1 /O=Boot2DockerCA verify return:1 depth=0 /O=Boot2Docker verify return:1 ... % openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \ > -cert tls/cert.pem -CAfile tls/ca.pem -tls1 </dev/null # works depth=1 O = Boot2DockerCA verify return:1 depth=0 O = Boot2Docker verify return:1 ... —Matt On Aug 4, 2015, at 17:05, Stephen Henson via RT <r...@openssl.org> wrote: > On Tue Aug 04 18:25:25 2015, m...@bogosian.net wrote: >> >> Please let me know if you have any questions, and I'd be happy to >> elaborate. >> > > Can you attach examples of the two certificates (EE and CA) that exhibit this > problem? > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org
fail1.tar.gz
Description: GNU Zip compressed data
fail2.tar.gz
Description: GNU Zip compressed data
succ.tar.gz
Description: GNU Zip compressed data
signature.asc
Description: PGP signature
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev