[openssl.org #249] 'openssl verify' broken
We'll assume that the config and cert chain issues were finally worked out over the past several years... If not, please re-open __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #249] 'openssl verify' broken
I saw Stephens reply on this (it didn't get into RT *#$%^#), but nothing more. Has this been resolved or is it still an issue? If the issue has been resolved, this ticket should be marked resolved. [[EMAIL PROTECTED] - Mon Aug 26 10:30:51 2002]: OpenSSL self-test report: OpenSSL version: 0.9.6g Last change: [In 0.9.6g-engine release:]... Options: no-idea --prefix=/usr/local --openssldir=/usr/local/ssl no-threads shared OS (uname): Linux binky 2.4.19 #1 Fri Aug 9 10:17:44 CEST 2002 i586 unknown OS (config): i586-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: gcc version 2.95.3 20010315 (release) Hi all, openssl x509 -purpose -in /etc/certs/foo.pem says: Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes But openssl verify -verbose -CAfile /etc/certs/ca.pem /etc/certs/foo.pem says: 'error 20 at 0 depth lookup:unable to get local issuer certificate' Regards Olaf -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #249] 'openssl verify' broken
[levitte - Sun Oct 6 11:07:19 2002]: I saw Stephens reply on this (it didn't get into RT *#$%^#), but nothing more. Has this been resolved or is it still an issue? If the issue has been resolved, this ticket should be marked resolved. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #249] 'openssl verify' broken
OK, I just haven't seen further communication on this, so I've no idea what conclusoins you came to. It's very possible that the CA certificate didn't match the issuer of the certificate you wanted to verify. Do you have the possibility to send me the certificates you were using in your test? [guest - Sun Oct 6 17:36:47 2002]: [levitte - Sun Oct 6 11:07:19 2002]: I saw Stephens reply on this (it didn't get into RT *#$%^#), but nothing more. Has this been resolved or is it still an issue? If the issue has been resolved, this ticket should be marked resolved. yes, I still get this error. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #249] 'openssl verify' broken
Richard Levitte via RT wrote: OK, I just haven't seen further communication on this, so I've no idea what conclusoins you came to. It's very possible that the CA certificate didn't match the issuer of the certificate you wanted to verify. Do you have the possibility to send me the certificates you were using in your test? here are the 'openssl x509' dumps, I hope that helps. ca.pem Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Validity Not Before: Aug 25 21:56:07 2002 GMT Not After : Aug 22 21:56:07 2012 GMT Subject: C=DE, ST=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:db:0c:f7:81:be:7d:f7:59:26:79:04:aa:9b:4f: ba:05:f5:74:aa:78:65:70:fb:5d:ec:a3:dc:fb:6b: 87:f1:e5:9c:fb:c2:a4:62:5c:16:63:65:44:d5:b8: db:c0:b5:5b:6f:06:40:7f:e5:71:cc:4e:5d:a8:4e: 0a:1d:69:b5:98:c2:4b:10:95:6e:b6:49:17:69:41: 86:00:ef:db:f8:59:24:c9:de:d6:31:90:06:60:2f: 14:63:2c:82:e5:5a:71:16:42:17:36:c1:ce:15:fd: 15:06:dc:48:58:87:b3:81:22:b7:b4:3e:f0:fb:49: 04:5e:90:25:4b:da:3d:8f:e1:36:69:ea:17:d9:2c: 3f:0e:6d:10:1d:37:e9:35:ec:11:1f:3b:2f:72:ad: 69:11:56:8d:a4:45:77:cd:a4:5b:c7:75:74:d2:83: e7:aa:79:f0:cc:38:fe:48:3a:b7:af:03:d7:de:81: fb:42:f4:da:b9:db:b2:41:bc:cf:ec:1c:58:e3:12: fa:cd:80:b3:46:50:1f:ba:f2:2c:90:a5:86:7f:62: de:bb:4b:b3:8c:22:53:bd:42:a2:46:91:c2:fd:d8: 39:25:df:55:57:90:f9:73:1c:0a:06:a0:7c:e7:dc: 70:fc:e8:48:4c:50:82:3a:09:17:a1:51:c9:cd:a2: f1:3b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 7F:F1:51:FB:14:2F:C6:33:5F:5B:9D:EF:10:E0:7C:28:0A:A4:A3:5D X509v3 Authority Key Identifier: keyid:7F:F1:51:FB:14:2F:C6:33:5F:5B:9D:EF:10:E0:7C:28:0A:A4:A3:5D DirName:/C=DE/ST=Hamburg/L=Hamburg/O=zaplinski.de/CN=zaplinski.de root [EMAIL PROTECTED] serial:00 X509v3 Basic Constraints: critical CA:TRUE Netscape Cert Type: SSL CA, S/MIME CA X509v3 Subject Alternative Name: email:[EMAIL PROTECTED] X509v3 Issuer Alternative Name: email:[EMAIL PROTECTED] Signature Algorithm: md5WithRSAEncryption 66:b0:2a:33:12:d8:f8:08:49:71:b3:16:fe:34:9c:af:9d:7f: 68:5c:cf:e6:a5:42:08:15:ab:ce:a9:8a:5b:80:d0:0c:72:c8: 00:bc:a1:1c:73:f5:49:bb:20:35:56:be:82:69:2b:5e:6b:01: 00:6e:ba:ed:d0:ba:e2:fe:45:9f:ad:bd:dd:78:40:9f:cf:1d: c2:9c:8d:15:4b:54:29:9f:cd:d9:28:2f:8a:bb:f4:fd:3d:5a: 12:a6:d1:94:dc:08:e2:a8:c1:9e:ca:72:63:d7:01:c3:60:65: 4f:0c:66:56:7e:13:0c:09:72:26:70:8b:30:2e:83:a7:ae:ea: 61:a4:66:b5:c2:39:c7:fb:28:fc:35:fd:04:c2:cc:5c:fc:ad: 60:29:c9:8f:f3:92:0e:cd:88:03:71:14:3a:b5:be:2d:5d:bc: e0:e5:de:33:87:e7:dd:a2:8b:f0:9a:3f:ea:89:2c:16:04:08: d4:3d:f2:d2:d8:f7:ef:7e:89:d6:71:b6:d1:1a:79:1a:e7:1b: 11:55:73:ed:3a:25:f5:d2:58:7b:ec:ea:c1:24:b5:14:51:6b: f6:a6:b3:9d:e0:70:ea:6b:45:ca:87:06:6b:f0:5f:e7:86:10: db:b6:46:83:76:a4:00:d6:af:82:a9:71:38:9c:3e:73:6a:01: 55:16:cf:7d mail.zaplinski.de.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Validity Not Before: Aug 25 22:52:15 2002 GMT Not After : Aug 22 22:52:15 2012 GMT Subject: C=DE, ST=Hamburg, O=zaplinski.de, [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d4:9f:e5:df:02:44:2e:57:c6:f7:f5:1f:30:0d: 47:9c:33:d6:66:7c:b6:04:49:dd:75:04:5d:83:47: 6f:78:eb:10:a3:37:88:f9:98:67:6b:c6:90:8b:a9: e6:81:cb:2c:ac:d1:f3:7e:cf:4a:c3:88:bb:39:16: 66:a2:3e:35:a3:a5:1e:fb:f9:7a:7c:c0:02:b7:f9: 01:84:6a:5a:ee:a5:fa:0d:d4:21:71:c2:89:8c:ad: b6:4d:04:5e:bf:2d:15:86:67:86:c8:e2:7c:5f:f7:
[openssl.org #249] 'openssl verify' broken
[[EMAIL PROTECTED] - Sun Oct 6 21:38:18 2002]: Richard Levitte via RT wrote: OK, I just haven't seen further communication on this, so I've no idea what conclusoins you came to. It's very possible that the CA certificate didn't match the issuer of the certificate you wanted to verify. Do you have the possibility to send me the certificates you were using in your test? here are the 'openssl x509' dumps, I hope that helps. Yup. So lt me see if I got this right, you're trying to verify mail.zaplinski.de.pem using ca.pem, right? And both of those files only contain one certificate, right (openssl x509 will only dump the first certificate found in a .pem file, IIRC)? In that case, the certificate in ca.pem is insufficient for verification, because it in turn depends on another CA certificate. Observe the subject and the issuer that you show us: ca.pem [...] Issuer: C=DE, ST=Hamburg, L=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] Subject: C=DE, ST=Hamburg, O=zaplinski.de, CN=zaplinski.de root [EMAIL PROTECTED] The issuer has the RDN L=Hamburg, the subject doesn't. The issuer therefore must have another certificate. So, the chain that can be built is mail.zaplinski.de.pem - ca.pem - ???, where '???' is an unknown, and as far as I understand, unavailable certificate. Therefore, 'openssl verify' is absolutely correct in saying 'unable to get local issuer certificate'. Unless you have other facts contradicting my guesses, I'm going to consider this case closed and the ticket resolved. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #249] 'openssl verify' broken
OpenSSL self-test report: OpenSSL version: 0.9.6g Last change: [In 0.9.6g-engine release:]... Options: no-idea --prefix=/usr/local --openssldir=/usr/local/ssl no-threads shared OS (uname): Linux binky 2.4.19 #1 Fri Aug 9 10:17:44 CEST 2002 i586 unknown OS (config): i586-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: gcc version 2.95.3 20010315 (release) Hi all, openssl x509 -purpose -in /etc/certs/foo.pem says: Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes But openssl verify -verbose -CAfile /etc/certs/ca.pem /etc/certs/foo.pem says: 'error 20 at 0 depth lookup:unable to get local issuer certificate' Regards Olaf __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #249] 'openssl verify' broken
On Mon, Aug 26, 2002, Olaf Zaplinski via RT wrote: OpenSSL self-test report: OpenSSL version: 0.9.6g Last change: [In 0.9.6g-engine release:]... Options: no-idea --prefix=/usr/local --openssldir=/usr/local/ssl no-threads shared OS (uname): Linux binky 2.4.19 #1 Fri Aug 9 10:17:44 CEST 2002 i586 unknown OS (config): i586-whatever-linux2 Target (default): linux-elf Target: linux-elf Compiler: gcc version 2.95.3 20010315 (release) Hi all, openssl x509 -purpose -in /etc/certs/foo.pem says: Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes But openssl verify -verbose -CAfile /etc/certs/ca.pem /etc/certs/foo.pem says: 'error 20 at 0 depth lookup:unable to get local issuer certificate' What that is saying is that the it can't find the CA certificate of foo.pem in ca.pem. This could be because it doesn't contain the certificate or it could be a bug. Why dont' you include the contents of files foo.pem and cacert.pem? You can also try the -issuer_checks option to see why it is rejecting any candidate CA certificates. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]