Re: [openssl-users] Problem with x509_verify_certificate

Sun, 18 Nov 2018 22:16:23 -0800 

There are no stale intermediate certificates on my computer.
(This was a fresh install, on a new drive. I should have never said "upgrade".)
Also, strace shows that it is looking for the correct CA certificate (/var/lib/ca-certificates/openssl/4bfab552.0), and being told that it exists - but with the newer version of openssl, it never tries to open the CA certificate (the older version does). 



------ Original Message ------
From: Viktor Dukhovni <openssl-us...@dukhovni.org>
Sent: Sun, 18 Nov 2018 01:00:50 -0500
To: Openssl-users <openssl-users@openssl.org>

Subject: Re: [openssl-users] Problem with x509_verify_certificate

Most likely there's a stale (expired) copy of the intermediate certificate in
question in the trust store, but the peer (server) sent an unexpired version
in the handshake.  The solution is to remove the stale intermediate from
the trust store.


On Nov 17, 2018, at 8:57 PM, Ken <open...@k-h.us> wrote:

I use an application, FreeRDP (https://github.com/FreeRDP/FreeRDP), which uses 
x509_verify_certificate to check the validity of a certificate on a RDP server.

Under openSUSE Leap 42.3 (which uses openssl version "1.0.2j-fips  26 Sep 
2016") everything works great.

But, when I upgrade to openSUSE Leap 15.0 (which uses openssl version "1.1.0i-fips  
14 Aug 2018") I get an error when connecting to servers that use publicly-signed 
certificates:

Certificate details:
         Subject: OU = Domain Control Validated, CN = owa.xxxxx.com
         Issuer: C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, 
Inc.", OU =http://certs.starfieldtech.com/repository/, CN = Starfield Secure 
Certificate Authority - G2
         Thumbprint: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
The above X.509 certificate could not be verified, possibly because you do not 
have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the 
store.
Do you trust the above certificate? (Y/T/N)


On both versions, strace shows is it checking for /var/lib/ca-certificates/openssl/4bfab552.0 
(which exists, and is the correct CA) - but with openssl version "1.1.0i-fips  14 Aug 
2018", it never opens that file. (With openssl version "1.0.2j-fips  26 Sep 2016", 
it does open/read that file, which it seems like it work need to, in order to find out if it 
matches the certificate.)


Any idea what changed? (Or, better question, what needs to be changed to make 
this application work again?)



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to