On Fri, Oct 30, 2009, Daniel Marschall wrote: > 2009/10/30 Dr. Stephen Henson <st...@openssl.org>: > > On Fri, Oct 30, 2009, Daniel Marschall wrote: > > > >> > >> > > >> > 2) When you enable informational messages, you get accurate informational > >> > messages. > >> > >> Please tell me, why it isn't a bug! I don't understand it. In my case > >> and also in the uncleared case of Helga Krause, the CRL was issued by > >> Person X and the CRT was also issued by Person X. "-issuer_checks" > >> should output nothing. But instead, it does tell me that the issuers > >> are different. But they are equal. So, it is a bug, isn't it? > >> > > > > As I mentioned it is a diagnostic output. Let me give a simplified example. > > Imagine you have a certificate x and three certificates which might be the > > issuer A, B and C. Suppose C is the actual issuer. > > > > Various checks are performed during the verification process. > > > > Normally this will happen: > > > > It will look at A and discard it for some reason. > > > > It will look at B and discard it for some reason. > > > > It will look at C, accept it and carry on. > > > > This is just an example, it might see C first and never touch A and B. > > > > Normally all this is invisible to the user and this output is never > > presented: > > that's why the option is disabled by default. > > > > Now imagine a second scenario where A, B and C are rejected. OpenSSL would > > by default under these circumstances produce an error saying that the issuer > > could not be found. This could be because it never looked up C or it saw C > > and > > rejected it but with no indication why. > > Hello Steve. > > Thank you for the detailed example, but I fear you missed the point. I > do not get an message that issuer C was not found or rejected. I get > the message "error 29 at 0 depth lookup:subject issuer mismatch" > without any other information: >
Perhaps I should have expanded a little more. If you consider the first example again: It will look at A and discard it for some reason. It will look at B and discard it for some reason. It will look at C, accept it and carry on. Now you don't get any error here and verification is fine. If however you set -issuer_checks you get diagnostics relating to the rejection of A and B. The verification still succeeds because C is later accepted but the verification process doesn't know that at the time A and B are being tested. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
