On Wed Aug 05 01:06:40 2015, [email protected] wrote: > Hi Steve, > > I've attached three certificate collections: two that fail (where > subject == issuer) and one that works around the problem (where > subject != issuer).
OK thanks for the examples. The bug is that OpenSSL 1.0.2 is less strict about what counts as a valid self signed certificate. Before 1.0.2 the certificate had to have issuer and subject matching, if present AKID==SKID and keyUsage (if present) had to include keyCertSign. For1.0.2 and later the keyCertSign check is no longer present. The attached patch should fix it. Let me know if it works for you. A workaround (other than making subject != issuer) is to include SKID/AKID in all certificates. Regards, Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
diffs.ss
Description: Binary data
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
