OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Could it be because your CA-2 has the following: Extended Key Usage - Client Authentication, Server Authentication?

Some fields that in general only apply to end certificates, e.g. name constraints, when used in a CA certificate, are interpreted as constraints on the certificates that can be issued by that CA.

  Erik Tkal




On Nov 16, 2015, at 11:48 AM, Jayalakshmi bhat <bhat.jayalakshmi at gmail.com> wrote:

Hi Matt,

Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with the device.

1. Root CA- Baltimore CyberTrust Root
2. Intermediate CA-1 - Microsoft Internet Authority
3. Intermediate CA-2 - Microsoft IT SSL SHA2
4. ID certificate - *.sharepoint.com <http://sharepoint.com/>

Intermediate CAs are issued by the above Root CA. Issue is seen when all 4 certificates are installed. Error happens with the intermediate CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not install intermediate CA-2 things works fine.

Any help is well appreciated.

Regards
Jayalakshmi

On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>> wrote:


On 16/11/15 06:52, Jayalakshmi bhat wrote:
> Hi Victor,
>
> Thanks a lot for details explanation.
>
> Our device acts as TLS/SSL client.  The device receives chain of
> certificates as part of SSL handshake, when it is trying to get
> connected to TLS/SSL server like sharepoint 365.
>
> While validating the certificate chain from server, "*check_trust"
> *fails with X509_V_ERR_CERT_UNTRUSTED.
>
> This had been working fine with OpenSSL 1.0.1c.
>
> When I checked the code execution, check_trust was not being called  in
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
>
> That is why I wanted to know is it mandatory for the applications to
> set X509_VERIFY_PARAM in X509_STORE_CTX


Are you able to share the certificates that the server provides you
with? Also the root certificate you are using.

It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
least want to verify the hostname through a call to
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this?

Matt
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users <https://mta.openssl.org/mailman/listinfo/openssl-users>

<certificates.txt>_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/888fceda/attachment.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux