Could this be related to the recent work to treat the list of certificates as a SET of potentially relevant certificates rather than as an ordered list of certificates that must form the trust chain? Reading through the 1.1.0 changelog makes it unclear how much of this standards-compliance fix has been implemented so far, and how much of it is included in 1.0.2h. On 06/09/2016 20:10, John Unsworth wrote: > This seems to me to be very easy to validate by just inserting a self-signed certificate at the front of a CAfile that works. > > ... > > -----Original Message----- > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni > Sent: 06 September 2016 18:47 > To: openssl-users at openssl.org > Subject: Re: [openssl-users] A self-signed CA certificate in the CA file *sometimes* stops verification working > > >> On Sep 6, 2016, at 11:53 AM, John Unsworth <John.Unsworth at synchronoss.com> wrote: >> >> I have noticed the following behaviour: >> >> 1 Create a certificate file with two CA certificates, one for the server being connected to (server A) and one for another server (server B). >> 2 Whichever way the CA certificates are ordered the connect works OK. >> 3 Add a self-signed CA certificate in the file before the one for server A. The connect fails ?Verify return code: 21 (unable to verify the first certificate)?. >> 4 Move the self-signed CA certificate after the one for server A. The connect works OK. >> >> Why should the self-signed certificate affect the connection when the required CA certificate is in the certificate file? Is this a bug? > You've provided much too little detail for a meaningful answer. > > Post the server chain being validated as reported by > > $ openssl s_client -showcerts -connect <server>:443 > chain.pem > $ openssl crl2pkcs7 -nocrl -certfile chain.pem | > openssl pkcs7 -print_certs > > and all three CA certificates. Do not post any of the private keys. > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
