Maybe the set of stores root certificates changed with the update? Try openssl s_client to debug it?
> On Nov 17, 2018, at 8:57 PM, Ken <open...@k-h.us> wrote: > > I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), which > uses x509_verify_certificate to check the validity of a certificate on a RDP > server. > > Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips 26 Sep > 2016") everything works great. > > But, when I upgrade to openSUSE Leap 15.0 (which uses openssl version > "1.1.0i-fips 14 Aug 2018") I get an error when connecting to servers that > use publicly-signed certificates: > > Certificate details: > Subject: OU = Domain Control Validated, CN = owa.xxxxx.com > Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield > Technologies, Inc.", OU = http://certs.starfieldtech.com/repository/, CN = > Starfield Secure Certificate Authority - G2 > Thumbprint: > xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx > The above X.509 certificate could not be verified, possibly because you do > not have > the CA certificate in your certificate store, or the certificate has expired. > Please look at the OpenSSL documentation on how to add a private CA to the > store. > Do you trust the above certificate? (Y/T/N) > > > On both versions, strace shows is it checking for > /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the correct > CA) - but with openssl version "1.1.0i-fips 14 Aug 2018", it never opens > that file. (With openssl version "1.0.2j-fips 26 Sep 2016", it does > open/read that file, which it seems like it work need to, in order to find > out if it matches the certificate.) > > > Any idea what changed? (Or, better question, what needs to be changed to make > this application work again?) > > > Thanks, > Ken > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
