On Thu, Jan 14, 2016 at 12:08:06PM -0500, Viktor Dukhovni wrote: > Well I rewrote the certificate chain verification code, perhaps some more > polish is needed. Please, if possible, send the chain being verified > (the leaf and and "untrusted" certs), plus the trusted roots (clearly > marked as such), and I'll look into it.
I'm not sure this is going to be helpful since this is a very basic case and I cannot reproduce this with openssl verify. Anyway, the incorrect CA and the only certificate that was configured as trusted on the client was this one: http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/ca-incorrect.pem while the server used this certificate: http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/server.pem and this issuer: http://w1.fi/cgit/hostap/plain/tests/hwsim/auth_serv/ca.pem Not even the issue subject name match here.. Still, I'm getting this with pre-rel 2 on the client: SSL: SSL_connect:SSLv3/TLS read server hello OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate) TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=FI/O=w1.fi/CN=Root CA' TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=FI/O=w1.fi/CN=server.w1.fi' And TLS handshake completes successfully. With OpenSSL 1.0.2d, this fails (as expected): SSL: SSL_connect:SSLv3 read server hello A OpenSSL: RX ver=0x303 content_type=22 (handshake/certificate) TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain) depth 1 for '/C=FI/O=w1.fi/CN=Root CA' So this has to be something with how the chain verification code gets configured.. I'll see if I can find the commit that changed the behavior to make it a bit more easier to figure out what exactly may have happened. -- Jouni Malinen PGP id EFC895FA _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev