Paul wrote: >> That's no solution, since once those different certificates with the >> same name (subjectOneline) are included in the trusted CAs, verify >> will fail on one of those 'dups', depending on which one was found >> first. > > You could have a solution here: > If you build a list of all certificates to import and sort then by > filedate (most current date on top) then the latest CA will always be > found first
That doesn't work. If you verified a cert that was isued by the older CA cert the new one was found first and verify would fail as well. The problem is that they first lookup the isuer _name_ in the CA store and if a matching cert was found, compare it with the one being verified, which may be a different certificate that just owns the same subject name. It becomes clear when you take a look at their source code. >From X509_vfy.c: [..] /* we have a self signed certificate */ if (sk_X509_num(ctx->chain) == 1) { /* We have a single self signed certificate: see if * we can find it in the store. We must have an exact * match to avoid possible impersonation. */ ok = ctx->get_issuer(&xtmp, ctx, x); if ((ok <= 0) || X509_cmp(x, xtmp)) { ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; [..] -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be