Hi , Do you have any update on this?
Thanks SatishKumaar -----Original Message----- From: Satish Kamavaram Sent: Friday, April 18, 2014 12:29 PM To: 'r...@openssl.org' Cc: openssl-dev@openssl.org; Retheesh Ravi Subject: RE: [openssl.org #3316] Wrong trust chain with new version of openssl We are not sure if it is a Apple iOS bug. Below is our observation. - If we sign the profile using the 0.9.8 version, and download the profile from an https location, the iOS profile installer shows the profile as "Verified" - If we sign the same profile using the 1.0.1 version and download the profile from an https location, the iOS profile installer shows the profile as "Not verified" The only difference between these two versions of openSSL visibly is, the order in which the certificate is listed in the profile. Is there a difference in these two versions that causes the difference in this certificate listing order? Is there a way we can make the order same to make it work while still using the latest version 1.0.1 of openSSL? Thanks SatishKumaar -----Original Message----- From: Stephen Henson via RT [mailto:r...@openssl.org] Sent: Wednesday, April 16, 2014 11:44 PM To: Satish Kamavaram Cc: openssl-dev@openssl.org Subject: [openssl.org #3316] Wrong trust chain with new version of openssl On Wed Apr 16 19:37:20 2014, satis...@mportal.com wrote: > Hi , > > When the iOS WiFi Profile is signed using new openSSL 1.0.1 version, > it specifies the certificate chain in reverse order causing the device > not to recognize the certificate chain and show "Not Verified". > However, when we sign using version 0.9.8k, the chain is included in > the correct order and the device is showing the profile as a > "Verified" one , at the time of showing profile installation prompt. > Is there a possibility that we will get a fix in next version of > openssl ? > I'm not sure what you mean by "correct order". The order of certificates in a PKCS#7 structure should not be considered significant and there is additional information (issuer name and serial number) which should enable a verifier to locate the appropriate signing certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
