I've been testing the openssl verify functionality.
I have the following chain:
server certificate
VeriSign Class 3 Extended Validation SSL CA
VeriSign Class 3 Public Primary CA - G5
The root CA and intermediate CA certificates are in my trusted CA
directory.
If I change a byte in the signature of the eBay certificate and run:
openssl verify -CApath <DIR> <CERT>
I get the expected error:
error 7 at 0 depth lookup:certificate signature failure
If I now rename the root CA certificate and run the same command, I get:
error 2 at 1 depth lookup:unable to get issuer certificate
If I restore the CA certificate and then ask for a CRL check:
openssl verify -crl_check -CApath <DIR> <CERT>
I get:
error 3 at 0 depth lookup:unable to get certificate CRL
It seems to me that the inability to find a trusted CA certificate or a
CRL is much less serious than a signature failure. However, if errors 2
or 3 are reported, I get no indication that the server certificate has
been tampered with.
If the signature can be verified (the issuer certificate is found) the
signature should be verified and a signature failure should be reported
in preference to other errors.
Kind regards,
Christopher Williams,
Software engineer, McAfee Inc.
McAfee International Limited is registered in England and Wales with its
registered address at 100 New Bridge Street, London, Company No. 02825890
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
