OpenSSL 0.9.8a 11 Oct 2005, SUSE Linux Enterprise
I have 2 "root" self signed certificates. If I do an SSL handshake with
the first:
-----BEGIN CERTIFICATE-----
MIICxTCCAi4CCQDJK3jKqJ/pqTANBgkqhkiG9w0BAQUFADCBpjEjMCEGA1UEAxMa
dXNydi1pcnZpbi5yc3ZsLnVuaXN5cy5jb20xDzANBgNVBAoTBlVuaXN5czETMBEG
A1UECxMKTmV0d29ya2luZzESMBAGA1UEBxMJUm9zZXZpbGxlMRIwEAYDVQQIEwlN
aW5uZXNvdGExCzAJBgNVBAYTAlVTMSQwIgYJKoZIhvcNAQkBFhVqYW1lcy5oZWl0
QHVuaXN5cy5jb20wHhcNMDcxMDA1MTUxNDQyWhcNMDgxMDA0MTUxNDQyWjCBpjEj
MCEGA1UEAxMadXNydi1pcnZpbi5yc3ZsLnVuaXN5cy5jb20xDzANBgNVBAoTBlVu
aXN5czETMBEGA1UECxMKTmV0d29ya2luZzESMBAGA1UEBxMJUm9zZXZpbGxlMRIw
EAYDVQQIEwlNaW5uZXNvdGExCzAJBgNVBAYTAlVTMSQwIgYJKoZIhvcNAQkBFhVq
YW1lcy5oZWl0QHVuaXN5cy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AKZn8YDg2AGaCgcSbyz2ggK6Pi86dJX3P16nKPhOEIZiGOJ3Z2hCf82uI9aahMRq
TVuxWzeOcvTNkyXcfdMOqBHPhgzYy6JjaKLRyofVMkDPumP8ttRdERYJGN2KP0zm
JneVzEWX3jdtUhBsEW0pqQ1WLK6YXMjZfrtnMUaRjyaHAgMBAAEwDQYJKoZIhvcN
AQEFBQADgYEAkGYAbVUcI+afaDJTtDUOOWiDXg5MPV7E3zTxkowTYhQ5fEjbjT9v
tdFtOS1seu0IrSDyu8PKhuWQt20BLZ3+4iWQO8356faxnbZLmNLXPUzc3ZiwGCtH
fwuw3bDpY2yVk1Xko5Oz3OMjHOdRdG2eXXaei06MhHNVCb+GSWzPToM=
-----END CERTIFICATE-----
The verification works ok. That is, the verify callback function only
gets a
X509_V_ERR_UNABLE_TO_GET_CRL (3).
If I do the handshake with the second:
-----BEGIN CERTIFICATE-----
MIICDTCCAXYCCQDy54tOjjiP2jANBgkqhkiG9w0BAQUFADBLMSMwIQYDVQQDExp1
c3J2LWlydmluLnJzdmwudW5pc3lzLmNvbTEkMCIGCSqGSIb3DQEJARYVamFtZXMu
aGVpdEB1bmlzeXMuY29tMB4XDTA3MTAwODE1MjQyNloXDTA4MTAwNzE1MjQyNlow
SzEjMCEGA1UEAxMadXNydi1pcnZpbi5yc3ZsLnVuaXN5cy5jb20xJDAiBgkqhkiG
9w0BCQEWFWphbWVzLmhlaXRAdW5pc3lzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA2y4uRyGByLmTBHXNQtvmQ3Bp3pP7OJPbbi3QiV2gKw2WPJZk1laP
4g5/uwR8QyfMU011hH7y33PdpPegU9KoJiH3SrfkYSnLhqM3YpY8Qsnf+lo3t2VA
sjD8wo8oBe6Upmun7HolRy+jdf5xsol3elQTa6Tw1hYdG2lz4/clvb8CAwEAATAN
BgkqhkiG9w0BAQUFAAOBgQDPkGrslqR0/X/QwUkgUQcpek+KDiUGtx8oi9kRl+T7
JA/yD6oBZM5Sq48Ge3ZTqJSX06HHrfGL+PE2LgcaYqkuWjpxvWM2ILeY6TMdg5xr
oXNiLEt1ixF72ObS2Uv8ruVIpUvFXZPCukzzeJooLbwpMOviMfJR7nbvZ9NG/1t6
Eg==
-----END CERTIFICATE-----
I get a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18) error in the verify
callback function.
The only significant (and it shouldn't be significant I think)
difference if the order of the fields in the Issuer/Subject portions of
the certificate. The one that does not get the 18 error specified
C/ST/L/O/OU/CN/address,
While the one that gets the error is CN/O/OU/L/ST/C/address. I have a
workaround in my callback, so this is not a priority, but I thought
someone might be interested?
Jim Heit
Enterprise Server Communications Engineering
UNISYS Central Development Laboratory
Roseville, MN USA
+1(651)635-3169 Net2 524-3169
Fax +1(651)635-5260 Net2 524-5260
Reply to: [EMAIL PROTECTED]
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
|
OpenSSL
0.9.8a 11 Oct 2005, SUSE Linux Enterprise I have 2 “root” self signed certificates.
If I do an SSL handshake with the first: -----BEGIN CERTIFICATE----- MIICxTCCAi4CCQDJK3jKqJ/pqTANBgkqhkiG9w0BAQUFADCBpjEjMCEGA1UEAxMa dXNydi1pcnZpbi5yc3ZsLnVuaXN5cy5jb20xDzANBgNVBAoTBlVuaXN5czETMBEG A1UECxMKTmV0d29ya2luZzESMBAGA1UEBxMJUm9zZXZpbGxlMRIwEAYDVQQIEwlN aW5uZXNvdGExCzAJBgNVBAYTAlVTMSQwIgYJKoZIhvcNAQkBFhVqYW1lcy5oZWl0 QHVuaXN5cy5jb20wHhcNMDcxMDA1MTUxNDQyWhcNMDgxMDA0MTUxNDQyWjCBpjEj MCEGA1UEAxMadXNydi1pcnZpbi5yc3ZsLnVuaXN5cy5jb20xDzANBgNVBAoTBlVu aXN5czETMBEGA1UECxMKTmV0d29ya2luZzESMBAGA1UEBxMJUm9zZXZpbGxlMRIw EAYDVQQIEwlNaW5uZXNvdGExCzAJBgNVBAYTAlVTMSQwIgYJKoZIhvcNAQkBFhVq YW1lcy5oZWl0QHVuaXN5cy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB AKZn8YDg2AGaCgcSbyz2ggK6Pi86dJX3P16nKPhOEIZiGOJ3Z2hCf82uI9aahMRq TVuxWzeOcvTNkyXcfdMOqBHPhgzYy6JjaKLRyofVMkDPumP8ttRdERYJGN2KP0zm JneVzEWX3jdtUhBsEW0pqQ1WLK6YXMjZfrtnMUaRjyaHAgMBAAEwDQYJKoZIhvcN AQEFBQADgYEAkGYAbVUcI+afaDJTtDUOOWiDXg5MPV7E3zTxkowTYhQ5fEjbjT9v tdFtOS1seu0IrSDyu8PKhuWQt20BLZ3+4iWQO8356faxnbZLmNLXPUzc3ZiwGCtH fwuw3bDpY2yVk1Xko5Oz3OMjHOdRdG2eXXaei06MhHNVCb+GSWzPToM= -----END CERTIFICATE----- The verification works ok. That is, the verify callback
function only gets a X509_V_ERR_UNABLE_TO_GET_CRL
(3). If I do the handshake with
the second: -----BEGIN CERTIFICATE----- MIICDTCCAXYCCQDy54tOjjiP2jANBgkqhkiG9w0BAQUFADBLMSMwIQYDVQQDExp1 c3J2LWlydmluLnJzdmwudW5pc3lzLmNvbTEkMCIGCSqGSIb3DQEJARYVamFtZXMu aGVpdEB1bmlzeXMuY29tMB4XDTA3MTAwODE1MjQyNloXDTA4MTAwNzE1MjQyNlow SzEjMCEGA1UEAxMadXNydi1pcnZpbi5yc3ZsLnVuaXN5cy5jb20xJDAiBgkqhkiG 9w0BCQEWFWphbWVzLmhlaXRAdW5pc3lzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEA2y4uRyGByLmTBHXNQtvmQ3Bp3pP7OJPbbi3QiV2gKw2WPJZk1laP 4g5/uwR8QyfMU011hH7y33PdpPegU9KoJiH3SrfkYSnLhqM3YpY8Qsnf+lo3t2VA sjD8wo8oBe6Upmun7HolRy+jdf5xsol3elQTa6Tw1hYdG2lz4/clvb8CAwEAATAN BgkqhkiG9w0BAQUFAAOBgQDPkGrslqR0/X/QwUkgUQcpek+KDiUGtx8oi9kRl+T7 JA/yD6oBZM5Sq48Ge3ZTqJSX06HHrfGL+PE2LgcaYqkuWjpxvWM2ILeY6TMdg5xr oXNiLEt1ixF72ObS2Uv8ruVIpUvFXZPCukzzeJooLbwpMOviMfJR7nbvZ9NG/1t6 Eg== -----END CERTIFICATE----- I
get a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18) error in the verify callback
function. The
only significant (and it shouldn’t be significant I think) difference if
the order of the fields in the Issuer/Subject portions of the
certificate. The one that does not get the 18 error specified
C/ST/L/O/OU/CN/address, While
the one that gets the error is CN/O/OU/L/ST/C/address. I have a
workaround in my callback, so this is not a priority, but I thought someone
might be interested? Jim Heit
Reply to:
[EMAIL PROTECTED] THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR
OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended
recipient. If you received this in error, please contact the sender and delete
the e-mail and its attachments from all computers. |
