> > Hence, if at all, verification requirements must have been lowered in the
> > new OpenSSL version.
>
> No, it is also the case that the new version now more correctly accepts
> some chains as valid that because of bugs, the old version did not.
Understood! My reply was related to message
> Hence, if at all, verification requirements must have been lowered in the new
> OpenSSL version.
No, it is also the case that the new version now more correctly accepts some
chains as valid that because of bugs, the old version did not.
--
openssl-users mailing list
To unsubscribe:
Am Fr, 22. Dez 2017, um 20:31, schrieb Sands, Daniel:
> On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote:
> > Unfortunately this didn't work either. The end result is the same;
> > OpenSSL still emits a "certificate signature failure" with an error
> > depth of 0.
> >
> In light of
On Fri, 2017-12-22 at 11:14 +0100, Manuel Wagesreither wrote:
> Unfortunately this didn't work either. The end result is the same;
> OpenSSL still emits a "certificate signature failure" with an error
> depth of 0.
>
In light of what Salz said about verification, could we assume that the
openssl
Yes, the certificate validation was fixed, and improved, in 1.1.0.
You should not use 1.0.1 if you can at all avoid it. It has many bugs,
probably security issues, and missing features. Like, for example, cert
validation.
--
openssl-users mailing list
To unsubscribe:
Dear all,
I just found out that this problem only occurs when I'm linking the executable
against libssl 1.0.1k. When linking against libssl 1.1.0f, the certificate does
get validated fine.
Does anyone know possible reasons? Do these libssl versions differ in regard to
certificate validation?
Hi,
On 22/12/17 11:14, Manuel Wagesreither wrote:
Unfortunately this didn't work either. The end result is the same; OpenSSL still emits a
"certificate signature failure" with an error depth of 0.
here's a stripped down version of my 'grid-proxy-verify.c' that verifies
a certificate loaded
Unfortunately this didn't work either. The end result is the same; OpenSSL
still emits a "certificate signature failure" with an error depth of 0.
Regards,
Manuel
Am Do, 21. Dez 2017, um 19:27, schrieb Sands, Daniel:
> I'm a fellow SSL-USER and not an expert, but my verification flow goes
> as
I'm a fellow SSL-USER and not an expert, but my verification flow goes
as follows:
X509_STORE_CTX_new()
X509_STORE_CTX_init(ctx,NULL,cert,NULL) <-- The certificate to verify
X509_STORE_CTX_trusted_stack(ctx,CACertificateStack) <-- Perhaps this
is the difference?
X509_verify_cert(ctx)
On Thu,
