On Thu, Jul 25, 2013, Viktor Dukhovni wrote:

> On Thu, Jul 25, 2013 at 07:08:30PM +0200, Dr. Stephen Henson wrote:
> 
> > openssl verify -CAfile root.pem -untrusted allcerts.pem ee.pem
> > 
> > where "allcerts.pem" is the complete peer chain and "ee.pem" is the peer
> > certificate. I'd be interested to see what that commands produces for
> > different version. If you use a directory and use -CApath instead.
> 
> It should be noted that OpenSSL 1.0 changed the hashing algorithm
> used to index CApath/ directories.  If the OP is using CApath with
> c_rehash generated from 0.9.8, that could failure to validate the
> client certificate, though the error would typically reflect lack
> of trust, not cryptographic integrity problems.
> 

Yes I'd considered that as a possibility but as you say you'd get a different
error.

> Perhaps the client sends a stale copy of one the CA certificates,
> which has the right issuer name, but the wrong public key.  Or
> the client's private key and certificate are not as intended...
> 

The hints I get imply the verify algorithm is using the wrong certificate to
verify the chain. To the OP: do those two CA certificates you mentioned have
the exact same subject name?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to