Problem with certificate check when it does not match CN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear all,

I use a gsoap application for which I write the server (php/apache) and client (gsoap and openssl). As I am pretty sure my problem comes from openssl and not gsoap, I am asking my question here.

I developped the service a few years ago and got wildcard certificates from Startcom. Due to the recent probems with startcom, I migrated my certificates to COMODO. I also tried to rationalise the number of certificates, and I think several of my problems come from here.

For a dedicate web service, I use a server located at https://www.online-rdv.be/v1/.... With my previous certificate, CN of certificate was a wildcard certificate : *.online-rdv.be. Everything worked fine.

But now, my new certificate is common for all my web sites. So, the CN is www.ams-solutions.be and, in the list of alternate names, I have an entry *.online-rdv.be.

From this point, all gsoap connections fail from SSL checks. If checked the certificate bundle provided to my gsoap client application and it contains root certificate, as well as intermediate certificates.

This same soap server is directly used by the website and all browsers I checked do not encounter the problem.

So, my best guess is that the way I configure openssl with gsoap is not correct and does not allow validating a web site if it does not match the CN certificate field.

I do no special configuration (nearly all default parameters). In fact, the only ssl configuration I perform is the following :

  soap_ssl_init();
   soap_ssl_client_context(service.soap,
                           SOAP_SSL_DEFAULT,
                           NULL,
                           NULL,
                           cert_path.GetCString(),
                           NULL,
                           NULL);


where cert_path points to a file with root and intermediate certificates.

Any suggestion on how to solve my problem ?

Regards,

Brice
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux