>From: owner-openssl-...@openssl.org On Behalf Of Mithun Kumar >Sent: Wednesday, 08 August, 2012 16:53 Note: individual recipient dropped; that's poor netiquette unless requested, which AFAICS it wasn't. I think this should be -users not -dev, so I added -users back.
>i will elaborate, for >X509_get_subject_name(issuer) = " CN = nc-win2008x64.americas.prog.com , OU = QA , O = DD , L = Morrisville, S = NC , C = US" >X509_get_issuer_name(subject) = "Issue:- CN = nc-panthers , DC = sso, DC = raldev, DC = com" [in X509_check_issued] Is that really your client cert, as you said in your first post, or your *server* cert? That CN form is typical for a server. If so, this is almost certainly the first call made in x509_verify_cert (x509_vfy.c line 207 in 1.0.1c) to test IF the cert is self-issued. Since your cert is obviously not self-issued, it is entirely correct this particular call should return an "error"; the calling code just uses that "error" to decide what to do next, it doesn't fail. You need to investigate what happens *next*; X509_verify_cert should proceed to build out the chain, which in your case should be one more cert (the root), and then verify the chain. If it's really your client cert, then ssl3_output_cert_chain uses X509_verify_cert to build out the chain (but not really verify it) so it similarly should mismatch on the first call, and should then proceed to build the chain if it can. Can you use (or are you using) commandline s_client to test? That can display a good deal of information about what is happening (at least -state, possibly -msg or -debug) which may narrow this down faster than stepping through code. >This is causing subject name and issuer name mismatch. Any inputs >what should be the correct way for chained certificates. >On Thu, Aug 9, 2012 at 1:53 AM, Ryan Hurst <ryan.hu...@globalsign.com> wrote: >I think the only cases you will get this are: >A. Name miss match in certificates exist, it's a binary compare so >then smallest change can cause this. Not entirely. The X509_name_cmp comparison is an exact compare of *canonicalized* copies of the DN. This allows for some minor encoding differences. But nothing more than that. >B. key miss match, name looks good bit keys are bit as expected. I don't know what that was supposed to mean. X509_check_issued also checks AKI if present, but not at the source line OP cited. It doesn't check actual key values, or signatures, at all. The *calling* routine, X509_verify_cert, does check signatures (at least normally, it's a pointer you might be able to override) which implicitly checks issuer keys and signatures are supported. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org