>From: owner-openssl-...@openssl.org On Behalf Of Indtiny s >Sent: Thursday, 11 October, 2012 01:20
This is not a bug and doesn't really belong on -dev . >I have converted my certificates which are in DER form >to PEM using below openssl command (because curl wants >that certificates to be in PEM format) >openssl x509 -in root.x509 -inform DER -out root.crt -outform PEM If that filename is accurate and this is a root cert file, and is being used as/in your truststore, it's not just curl that wants PEM format, it's openssl. (For many things openssl supports both PEM and DER formats and sometimes others, but its standard truststore methods support only PEM.) >And try to excute the curl client with error buffer set >(it will save the errors which will thrown by ssl) , >I get the below error while doing >223: SSL: couldn't get X509-subject! >curl_easy_perform() failed: SSL connect error error no is 35 . >I checked my cert with >openssl x509 -in root.crt -inform PEM -noout -text >and it shows that certificate does not have subject . >Now is it mandatory to have the certificate with subject .. A *CA* certificate (root or chain) yes. RFC 5280 4.1.2.6 et al. Officially an *entity* cert can use SAN and empty Subject. (You can't actually omit Subject from the ASN.1, only make it an empty sequence -- no RDN elements.) I haven't tested if this works with openssl, although I see no logical reason it shouldn't. >How to disable this at openssl part ..? OpenSSL chains only by child.issuer = parent.subject, although in principle AKI can be used instead. If you did "disable" this, you would have to accept all servers (or other signers) including the fraudulent ones, and you almost might as well just drop SSL (or other crypto) and use cleartext. (You do expose your sensitive data only to one crook at a time, if that's a benefit.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org