> Rob Neff wrote:
>
> Gentlemen,
>
> After successfully establishing an SSL connection, I'm attempting to
> ascertain the validity of the server certificate received by the
> client.
> The server certificate received was signed by Verisign, yet the
> OpenSSL engine does not successfully validate it. The root
> certificates I loaded into the SSL_CTX using the function
> SSL_CTX_load_verify_locations() were the Class 3 Verisign
> certificates exported from IE 5.0.
>
> The interesting thing about this is that the issuer hash calculated
> using
> OpenSSL on the server certificate received is different that the
> hashes
> calculated on the exported certificates, yet IE still manages to
> accept the
> certificate as valid! The obvious question, at least for me, is does
> the
> OpenSSL library base its decision solely on the issuername hash when
> looking up the trusted CA root certificates or is IE doing something
> completely different, like not basing it's lookup on issuer hash but
> perhaps issuer CommonName?
>
> Can someone provide me with a code snippet, or point me in the
> appropriate
> direction, that outlines another way to verify certificates without
> using the
> issuer name hash? My concern is if Verisign, or any other CA, is
> creating
> server certificates using licensing terms or some other policy within
> the
> issuer name on a per-certificate basis yet using the original public
> and
> private keys to sign it. Would this explain why the issuer hashes
> don't match
> yet IE continues to validate the cert if IE does its lookup not based
> on issuer
> hash? Or am I way out in left field???
>
What error message does OpenSSL give when it fails the verify?
If the names don't match then there could be another intermediate CA
which you aren't including.
Try this command:
openssl verify -CAfile root.pem -untrusted ca.pem -purpose sslserver
server.pem
where 'server.pem' is the server certificate 'ca.pem' is any
intermediate certificate (omit this and the untrusted option if there
isn't any) and root.pem is the root CA. Try this on OpenSSL 0.9.6. This
simulates the operation performed when the SSL library verifies a
certificate chain.
Failing that why don't you just post (or mail me privately) with the
certificate chain (*NOT THE PRIVATE KEY*!!) and I'll see if there's an
obvious problem.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
