On 1/10/2016 21:43, Viktor Dukhovni wrote: > On Sun, Jan 10, 2016 at 08:20:41PM -0600, Karl Denninger wrote: > >> I found the problem... for an unexplained reason either the certificate >> or key were corrupt; I have added checking to make sure they're >> coherent, as apparently OpenSSL is perfectly happy to load a bogus cert >> (or key) without throwing an error, but won't present them. > You forgot the validate the loaded cert/key combination via: > > SSL_CTX_check_private_key(ctx); > > which should be called after loading the key and certificate. > Yep. Fixed that, and then found out that the old recipes for walking through the subjectAltName data is no longer workable (apparently the published "book" work on that went rooting around in internal data structures that one should not be playing with)..... there's a resolution for that too though (just had to dig around a bit), so it's all good now. Thanks... -- Karl Denninger karl at denninger.net <mailto:karl at denninger.net> /The Market Ticker/ /[S/MIME encrypted email preferred]/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160110/f59a3346/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2996 bytes Desc: S/MIME Cryptographic Signature URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160110/f59a3346/attachment.bin>
