Re: Problem with x509_verify_certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I would suggest running "c_rehash" on the directory, making sure it is
the c_rehash for OpenSSL 1.1.x, and not some other version.

> On Nov 17, 2018, at 8:57 PM, Ken <OpenSSL@xxxxxx> wrote:
> 
> On both versions, strace shows is it checking for /var/lib/ca-certificates/openssl/4bfab552.0 (which exists, and is the correct CA) - but with openssl version "1.1.0i-fips  14 Aug 2018", it never opens that file. (With openssl version "1.0.2j-fips  26 Sep 2016", it does open/read that file, which it seems like it work need to, in order to find out if it matches the certificate.)
> 
> Any idea what changed? (Or, better question, what needs to be changed to make this application work again?)

The way that DN hashes are computed changed from 0.9.8 to 1.0.0, but IIRC then
remained stable, so I would not expect a change between 1.0.2 and 1.1.0.

It is difficult to offer more help without copies of the certificates in question.

The main change between 1.1.0 and 1.0.2 is that "trusted_first" is now
the default behaviour and cannot be changed.  This means that intermediate
certificates supplied with the peer chain are used only when no issuer is
present in the trust store.  This can lead to a different chain being
computed in some cases.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux