For the record, I've reported a bug [http://rt.openssl.org/index.html?q=1750] which is probably identical to the first issue mentioned. If it was fixed in 0.9.8-stable the bug ticket can be updated (closed ?)
Cheers, Shmul On Mon, Mar 9, 2009 at 4:10 PM, Stephen Henson via RT <[email protected]>wrote: > > [[email protected] - Tue Mar 03 08:06:37 2009]: > > > > > > > > Hi all, > > > > In the current release OpenSSL 0.9.8j, there are two bugs in > > ./crpto/x509/x509_vfy.c and ./crpto/x509/x509_cmp.c > > > > Here are the details: > > > > 1) The return value of function X509_NAME_cmp in > > ./crpto/x509/x509_cmp.c is not consistent. X509_NAME_cmp(a,b) > > should not only return boolean value (a=b or not) but also need to > > return 0 means a>b, =0 means a=b. Since this function is ued in > > sort and bsearch function, the return value should be absolutely > > consistent. Say if a>b, b>c, then a>c should be expected. The > > current logic may return conflict result. > > > > We have a CA cert file which contains over 300 trusted CA certs, if we > > enumerate the whole list and call X509_find_by_subjet, > > X509_find_by_subjec will failed on some certs due to this problem. > > > > FIX: return a memcmp(a,b) value once we find any diffrence. > > > > An update to X509_NAME_cmp() was applied to 0.9.8-stable recently, > please try a recent snapshot. > > The "right" way is in 0.9.9-dev but the changes are considerable and > change some public structures. > > > 2) X509_verify_cert function in ./crpto/x509/x509_vfy.c will only > > verify cert chain against the first cert in a trusted CA cert list. > > > > In the same cert file, we have two CA certs that have excat same > > subjet line. Since X509_find_by_subjet can only return the first > > CA cert found in the list, X509_verify_cert failed to verify a cert > > signed by the second CA sert, the root CA cert of this cert is in > > the ca cert list but cannot be returned by X509_find_by_subjet > > function. > > > > FIX: X509_find_by_subjet should return a NULL ended x509_NAME array, > > the X509_verify_cer then can try all the CA cert instances to > > verify the cert chain. > > > > BTW, we prepared the CA cert file by importing root CA certs from > > IE7/Firefox3 and other truscted source. So it a real problem. > > > > > > If the subject names are identical but the chain can be determined by > SKID/AKID then OpenSSL should handle this case correctly. > > If not please send me an example that misbehaves. > > Steve. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List [email protected] > Automated List Manager [email protected] >
