On Thu, Jul 25, 2013 at 07:08:30PM +0200, Dr. Stephen Henson wrote:
> openssl verify -CAfile root.pem -untrusted allcerts.pem ee.pem
>
> where "allcerts.pem" is the complete peer chain and "ee.pem" is the peer
> certificate. I'd be interested to see what that commands produces for
> different version. If you use a directory and use -CApath instead.
It should be noted that OpenSSL 1.0 changed the hashing algorithm
used to index CApath/ directories. If the OP is using CApath with
c_rehash generated from 0.9.8, that could failure to validate the
client certificate, though the error would typically reflect lack
of trust, not cryptographic integrity problems.
Perhaps the client sends a stale copy of one the CA certificates,
which has the right issuer name, but the wrong public key. Or
the client's private key and certificate are not as intended...
As for the packe captures on pastebin, it is too difficult to read
pre-decoded packet dumps. The OP should post links to the binary
pcap files.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
