On Fri, Oct 30, 2009, Daniel Marschall wrote: > > > > > 2) When you enable informational messages, you get accurate informational > > messages. > > Please tell me, why it isn't a bug! I don't understand it. In my case > and also in the uncleared case of Helga Krause, the CRL was issued by > Person X and the CRT was also issued by Person X. "-issuer_checks" > should output nothing. But instead, it does tell me that the issuers > are different. But they are equal. So, it is a bug, isn't it? >
As I mentioned it is a diagnostic output. Let me give a simplified example. Imagine you have a certificate x and three certificates which might be the issuer A, B and C. Suppose C is the actual issuer. Various checks are performed during the verification process. Normally this will happen: It will look at A and discard it for some reason. It will look at B and discard it for some reason. It will look at C, accept it and carry on. This is just an example, it might see C first and never touch A and B. Normally all this is invisible to the user and this output is never presented: that's why the option is disabled by default. Now imagine a second scenario where A, B and C are rejected. OpenSSL would by default under these circumstances produce an error saying that the issuer could not be found. This could be because it never looked up C or it saw C and rejected it but with no indication why. That's why the diagnostic option is there. If you enable it it will indicate which certificates are examined and why they are rejected. So in the case of an error it will say whether it saw C and why it didn't consider it to be a valid issuer. It can't just output any reason why C is rejected because it doesn't know that C is supposed to be the valid issuer so it indicates why all candidate issuers are rejected. So basically it's like this. If you don't include -issuer_checks and you get OK then everything is fine. If you don't get OK and you think you should because you feel a valid issuer should be visible the -issuer_checks might be useful to see why it is failing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
