On Thu, Jul 25, 2013, Viktor Dukhovni wrote: > On Thu, Jul 25, 2013 at 07:08:30PM +0200, Dr. Stephen Henson wrote: > > > openssl verify -CAfile root.pem -untrusted allcerts.pem ee.pem > > > > where "allcerts.pem" is the complete peer chain and "ee.pem" is the peer > > certificate. I'd be interested to see what that commands produces for > > different version. If you use a directory and use -CApath instead. > > It should be noted that OpenSSL 1.0 changed the hashing algorithm > used to index CApath/ directories. If the OP is using CApath with > c_rehash generated from 0.9.8, that could failure to validate the > client certificate, though the error would typically reflect lack > of trust, not cryptographic integrity problems. >
Yes I'd considered that as a possibility but as you say you'd get a different error. > Perhaps the client sends a stale copy of one the CA certificates, > which has the right issuer name, but the wrong public key. Or > the client's private key and certificate are not as intended... > The hints I get imply the verify algorithm is using the wrong certificate to verify the chain. To the OP: do those two CA certificates you mentioned have the exact same subject name? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org