----- Original Message ----- From: "Arno Garrels" <arno.garr...@gmx.de>

That doesn't work. If you verified a cert that was isued by the
older CA cert the new one was found first and verify would fail
as well.
The problem is that they first lookup the isuer _name_ in the CA store
and if a matching cert was found, compare it with the one being
verified, which may be a different certificate that just owns the same
subject name. It becomes clear when you take a look at their source

From X509_vfy.c:
/* we have a self signed certificate */
if (sk_X509_num(ctx->chain) == 1)
       /* We have a single self signed certificate: see if
       * we can find it in the store. We must have an exact
       * match to avoid possible impersonation.
       ok = ctx->get_issuer(&xtmp, ctx, x);
       if ((ok <= 0) || X509_cmp(x, xtmp))

This means a bug in OpenSsl.
All certs of the same CA should be verified to find a match before returning an error
I think it's not legal to alter the source though...


To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to