Paul wrote:
>> That's no solution, since once those different certificates with the
>> same name (subjectOneline) are included in the trusted CAs, verify
>> will fail on one of those 'dups', depending on which one was found
>> first. 
> You could have a solution here:
> If you build a list of all certificates to import and sort then by
> filedate (most current date on top) then the latest CA will always be
> found first

That doesn't work. If you verified a cert that was isued by the
older CA cert the new one was found first and verify would fail
as well.
The problem is that they first lookup the isuer _name_ in the CA store
and if a matching cert was found, compare it with the one being 
verified, which may be a different certificate that just owns the same
subject name. It becomes clear when you take a look at their source 

>From X509_vfy.c:
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1)
        /* We have a single self signed certificate: see if
        * we can find it in the store. We must have an exact
        * match to avoid possible impersonation.
        ok = ctx->get_issuer(&xtmp, ctx, x);
        if ((ok <= 0) || X509_cmp(x, xtmp))
Arno Garrels
To unsubscribe or change your settings for TWSocket mailing list
please goto
Visit our website at

Reply via email to