2009/10/25, Dr. Stephen Henson <st...@openssl.org>:
> On Sun, Oct 25, 2009, Daniel Marschall wrote:
>
> > Hello.
> >
> > I have a problem with verification of certificates.
> >
> > My command line is:
> >
> > openssl verify -verbose -issuer_checks -crl_check_all -CAfile
> > tmp_cachain.pem daniel-marschall.crt
> >
>
> Do you get an error without -issuer_checks? As the manual indicates that is a
> debugging option that logs the verification process and for perfectly valid
> chains you will get notifications of mismatches as candidate certificates are
> discarded.
Hello.
Thank you for your answer.
Yes, without that flag, the certificate is valid ("OK"). I know, that
the issuer-name-errors are actually not really errors, but warnings.
But I want to have a script which checks the certificate for
absolutely correctness, so I also want to check if the issuer names
are matching (without any manual checking). But because of this bug,
firstly noticed 2003, the strings of CRL issuer and Cert-PEM issuer
are not equal because OpenSSL adds a whitespace before /C= in the
issuername of the Cert-PEM. I wonder how to solve this bug. It was
found in 2003 or earlier and my 2006/2008 versions did also include
the same bug. Is it really not fixed until yet or am I wrong?
If you want, you can check my personal CRT/CRL's to validate the bug
(links in the inital mail). At both OpenSSL versions I use (0.9.8c and
0.9.8h) the whitespace is added.
But maybe my Root CA is wrong instead? Maybe my certificates are
'special' ;-) I cannot say because I only trust the "-issuer -noout"
output at the moment. The Root CA was also created with OpenSSL 0.9.8c
and in my CSR there was no whitespace before /C= (I made the request
via the paramters -batch and -subj '/C=DE/L=...' and not via manual
input)
CRT: http://www.viathinksoft.de/ca/crt/root.crt (issuer name has
whitespace before first "/")
CRL: http://www.viathinksoft.de/ca/crl/root.crl (issuer name is OK)
Do you know what's the reason (issuer-detection/verify or RootCA
fault?) for the bug and a workaround?
Regards
Daniel Marschall
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
--
Daniel Marschall
www.daniel-marschall.de
+49 6223 488840
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
