I would suggest running "c_rehash" on the directory, making sure it is the c_rehash for OpenSSL 1.1.x, and not some other version. > On Nov 17, 2018, at 8:57 PM, Ken <OpenSSL@xxxxxx> wrote: > > On both versions, strace shows is it checking for /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the correct CA) - but with openssl version "1.1.0i-fips 14 Aug 2018", it never opens that file. (With openssl version "1.0.2j-fips 26 Sep 2016", it does open/read that file, which it seems like it work need to, in order to find out if it matches the certificate.) > > Any idea what changed? (Or, better question, what needs to be changed to make this application work again?) The way that DN hashes are computed changed from 0.9.8 to 1.0.0, but IIRC then remained stable, so I would not expect a change between 1.0.2 and 1.1.0. It is difficult to offer more help without copies of the certificates in question. The main change between 1.1.0 and 1.0.2 is that "trusted_first" is now the default behaviour and cannot be changed. This means that intermediate certificates supplied with the peer chain are used only when no issuer is present in the trust store. This can lead to a different chain being computed in some cases. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
