RE: certificate verification problem

2014-10-31 Thread Dave Thompson 
 From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
 Sent: Thursday, October 30, 2014 14:50

 I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
 I would expect the two to form a valid chain. And indeed,
 verification succeeds:

 ... openssl verify -CAfile root_ca.pem host_ca.pem
 host_ca.pem: OK

 However, if I add -issuer_checks to the command line, I get errors:

 openssl verify -CAfile root_ca.pem -issuer_checks host_ca.pem
 host_ca.pem: C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, 
 OU = Network Administration, CN = K\C3\B6ller Family Host Signing Certificate
 error 29 at 0 depth lookup:subject issuer mismatch
 C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
 Administration, CN = K\C3\B6ller Family Host Signing Certificate
 error 29 at 0 depth lookup:subject issuer mismatch
 C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network 
 Administration, CN = K\C3\B6ller Family Host Signing Certificate
 error 29 at 0 depth lookup:subject issuer mismatch
 OK

 Next, I look at the subject and issuer fields of both certificates, and 
 find them to be matching: snip
 Am I wrong to expect the verify command to succeed without errors in 
 this case, even with -issuer_checks? I am attaching the two certificates,
 in case someone wants to investigate the problem.

As the manpage says:
Print out diagnostics relating to searches for the issuer certificate of the 
current certificate. 
This shows why each candidate issuer certificate was rejected. The presence of 
rejection messages does not itself imply that anything is wrong; during 
the normal verification process, several rejections may take place.

In particular, although the manpage doesn't say so, X509_verify_cert 
checks several(!) times whether your cert is self-issued, only to find it isn't,
causing the errors you see in this case.

The result is OK; the errors should be ignored.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Re: certificate verification problem

2014-10-31 Thread thomas 


On 10/31/2014 03:24 PM, Dave Thompson wrote:
 From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
 Sent: Thursday, October 30, 2014 14:50

 I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
 I would expect the two to form a valid chain. And indeed,
 verification succeeds:

 ... openssl verify -CAfile root_ca.pem host_ca.pem
 host_ca.pem: OK

 However, if I add -issuer_checks to the command line, I get errors:

 openssl verify -CAfile root_ca.pem -issuer_checks host_ca.pem
 host_ca.pem: C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family,
 OU = Network Administration, CN = K\C3\B6ller Family Host Signing Certificate
 error 29 at 0 depth lookup:subject issuer mismatch
 C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network
 Administration, CN = K\C3\B6ller Family Host Signing Certificate
 error 29 at 0 depth lookup:subject issuer mismatch
 C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network
 Administration, CN = K\C3\B6ller Family Host Signing Certificate
 error 29 at 0 depth lookup:subject issuer mismatch
 OK

 Next, I look at the subject and issuer fields of both certificates, and
 find them to be matching: snip
 Am I wrong to expect the verify command to succeed without errors in
 this case, even with -issuer_checks? I am attaching the two certificates,
 in case someone wants to investigate the problem.

 As the manpage says:
 Print out diagnostics relating to searches for the issuer certificate of the 
 current certificate.
 This shows why each candidate issuer certificate was rejected. The presence of
 rejection messages does not itself imply that anything is wrong; during
 the normal verification process, several rejections may take place.


I assumed that this  applies to the case of the certificate being 
checked against
multiple candidate issuer certificates, some of them not matching the
certificate being checked. However, in my case, there is exactly one issuer
certificate, and it _does_ match the one tested.

 In particular, although the manpage doesn't say so, X509_verify_cert
 checks several(!) times whether your cert is self-issued, only to find it 
 isn't,
 causing the errors you see in this case.

If verify with -issuer_checks returns errors even if there are exactly 
two certificates
involved and the issuer matches the cert tested, then I feel tempted to 
say that
this option is not terribly useful, because it will always report errors 
and will
never succeed,


 The result is OK; the errors should be ignored.


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org


-- 
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.