----- Original Message -----
From: "Arno Garrels" <arno.garr...@gmx.de>
That doesn't work. If you verified a cert that was isued by the
older CA cert the new one was found first and verify would fail
as well.
The problem is that they first lookup the isuer _name_ in the CA store
and if a matching cert was found, compare it with the one being
verified, which may be a different certificate that just owns the same
subject name. It becomes clear when you take a look at their source
code.
From X509_vfy.c:
[..]
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1)
{
/* We have a single self signed certificate: see if
* we can find it in the store. We must have an exact
* match to avoid possible impersonation.
*/
ok = ctx->get_issuer(&xtmp, ctx, x);
if ((ok <= 0) || X509_cmp(x, xtmp))
{
ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
[..]
This means a bug in OpenSsl.
All certs of the same CA should be verified to find a match before returning
an error
I think it's not legal to alter the source though...
Paul.
--
To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be
