Yes, I've tested it and it works. I think the problem is that I haven't used X509_LOOKUP directly, I've used it as part of certificate verification during SSL handshake. In this case, OpenSSL goes through whole certificate cache and looks for certificate there. I'm very sorry for confusion.
I will describe the test case more deeply. I've created two self-signed certificates with exactly the same subject (most likely cannot occur in real use). Now I've put one to one directory and the other to the second directory - under their hashcodes. I've created SSL client connecting to server and using these two directories for verification (using SSL_CTX_load_verify_locations function). I've started server using s_server utility in OpenSSL and passed it one of the certificates. Now I've run client against the server. When server's certificate is in the first directory, it is verified and it works. When it is in the second one, the problem occurs - directory lookup puts the certificate from the first directory to cache and exits since the subject of inserted certificate is the same as the looked up one. The second directory is never used. My patch goes through all directories and puts all certificates with given hashcode to cache. Thus, both certificates are in cache and verification routine can find the right one and succeed. I've attached simple testcase (created on Linux). I've tested OpenSSL 0.9.6g and 0.9.7, both have the same problem and in both the same patch can be used. Martin Richard Levitte via RT wrote: > I'm not sure about your solution. Have you tested it at all and verified that it >works? According to my understanding of the source, X509_load_crl_file() will not >load a certificate into the cache if there already exists another cert with the same >subject in that same cache. In effect, your patch would tehrefore change nothing... > > [[EMAIL PROTECTED] - Mon Jan 20 14:51:36 2003]: > > >> I have several certificates with the same subject which are in two >>different directories. When I put these two directories to >>X509_LOOKUP_hash_dir and use this lookup during validation, the >>certificate is found only if it is in the first directory in lookup. >> >> I've found the problem in OpenSSL 0.9.6g and also 0.9.7. >> >> I've looked into it and the cause is probably in >>crypto/x509/by_dir.c, function get_cert_by_subject(). The outer loop >>here goes through the directories assigned to lookup object. For each >>directory all the certificates with given hash code are loaded. Next, >>the certificate is looked up by subject and if found, the function >>exits. In this case the other directories are not loaded. So later >>when >>the certificate found is not the one really requested and the loaded >>cache is consulted, it is not filled as it should be and certificate >>is >>not found. >> >> I think the lookup by subject in get_cert_by_subject() should be >>performed after the outer loop finishes (see attached patch). >> >> Regards >> Martin > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
