On 10/31/2014 03:24 PM, Dave Thompson wrote:
From: owner-openssl-us...@openssl.org On Behalf Of tho...@koeller.dyndns.org
Sent: Thursday, October 30, 2014 14:50
I have... root_ca.pem ... self-signed ... issued host_ca.pem ...
I would expect the two to form a valid chain. And indeed,
verification succeeds:
... openssl verify -CAfile root_ca.pem host_ca.pem
host_ca.pem: OK
However, if I add -issuer_checks to the command line, I get errors:
openssl verify -CAfile root_ca.pem -issuer_checks host_ca.pem
host_ca.pem: C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family,
OU = Network Administration, CN = K\C3\B6ller Family Host Signing Certificate
error 29 at 0 depth lookup:subject issuer mismatch
C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network
Administration, CN = K\C3\B6ller Family Host Signing Certificate
error 29 at 0 depth lookup:subject issuer mismatch
C = DE, ST = Hamburg, L = Hamburg, O = K\C3\B6ller Family, OU = Network
Administration, CN = K\C3\B6ller Family Host Signing Certificate
error 29 at 0 depth lookup:subject issuer mismatch
OK
Next, I look at the subject and issuer fields of both certificates, and
find them to be matching: snip
Am I wrong to expect the verify command to succeed without errors in
this case, even with -issuer_checks? I am attaching the two certificates,
in case someone wants to investigate the problem.
As the manpage says:
Print out diagnostics relating to searches for the issuer certificate of the
current certificate.
This shows why each candidate issuer certificate was rejected. The presence of
rejection messages does not itself imply that anything is wrong; during
the normal verification process, several rejections may take place.
I assumed that this applies to the case of the certificate being
checked against
multiple candidate issuer certificates, some of them not matching the
certificate being checked. However, in my case, there is exactly one issuer
certificate, and it _does_ match the one tested.
In particular, although the manpage doesn't say so, X509_verify_cert
checks several(!) times whether your cert is self-issued, only to find it
isn't,
causing the errors you see in this case.
If verify with -issuer_checks returns errors even if there are exactly
two certificates
involved and the issuer matches the cert tested, then I feel tempted to
say that
this option is not terribly useful, because it will always report errors
and will
never succeed,
The result is OK; the errors should be ignored.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.