On 6/12/06, Susan McIntosh <[EMAIL PROTECTED]> wrote:
We are in the process of migrating from box A (AIX 4.3.3.0 running
openssl 0.9.6g) to box B (AIX 5.3.0.0 running openssl 0.9.8). Both A and
B access the same file system which contains our CA files.
When I revoke a certificate from box A, the process works as expected.
When I revoke a certificate from box B, I get the following error:
ERROR:name does not match /C=US/ST=Florida/L=Gainesville/O=University of
Florida /OU=Computing and Networking
Services/CN=alt.smtp.ufl.edu/emailAddress=nerdc-uni [EMAIL PROTECTED]
This error message is emitted on line 2488 in apps/ca.c
As to the question why, I'm far from being sure. I'd suggest some
debugging and looking at the values of row and rrow. Depending on the
outcome the contents of the index.txt file might be interesting.
Perhaps you find some of the following topics worth of further
inspection. I just guessed regarding the context:
- if you want to revoke the cert with serial 0, you might be affected
by the bug fixed by http://cvs.openssl.org/chngview?cn=8356
- subtly different handling of the deprecated emailAddress in the
subject name in the two versions. Especially considering the
whitespace in the address (makes me suspicious at least).
- different locales or whatever is used in AIX to the effect of
different charsets
3080222:error:02001002:system library:fopen:No such file or
directory:bss_file.c :122:fopen('/nerdc/src/ssl/CA/index.txt.attr','rb')
3080222:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:125:
- would be mandatory for no_unique subject names. So if you have such
(which would not be possible with 0.9.6g I think) there might be a
problem with getting the right one.
3080222:error:0E078072:configuration file routines:DEF_LOAD:no such
file:conf_de f.c:197:
The certificate, key, config file, etc. are all the same for both
revocation attempts. The only thing that's changed, as far as I can
tell, is the version of AIX and openssl. Is there a config file I need
to check besides the one I specify on the command line?
Well, what exactly you are doing and the contents of the configuration
files (nameoption etc.) could be important to know depending on the
hopefully narrowed down possibilities of what exactly is happening in
the the two different setups.
HTH, with best regards
K. Hoercher
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
