Hi, yes, this is a known regression in 1.1.1i that is fixed in the git repo already with commit c2fc1115eac53d2043e09bfa43ac5407f87fe417 Tomas On Thu, 2021-02-04 at 13:08 +0100, weber@xxxxxxxxxxx wrote: > Dear OpenSSL users, > > we just bumped into a case we assume as a bug in version 1.1.1i. > > Building a (partial) chain fails if an enduser cert is signed by a > ca > using RSASSA-PSS algorithm. > Chain building works with version 1.1.1g. > > Tracing the issue down, we found that the check_issued (source > x509_vfy.c) is changed. > The method is extended to compare the X509_NAMEs, AKIDs and > algorithms > match. > The latter fails in check_sig_alg_match (source v3_purp.c) returning > X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH, which is wrong. > > Is this issue and / or the proper solution known? > > Thanks in advance > -- > Christian Weber >
