Hi list, I'm quite puzzled and hope somebody can help me. I'm handling a large number of certificates and for generating testcases for the software I employ, I wrote a small script that downloaded web server certificates en bulk and then processed them, to check for irregularities.
My software barfed on a certain certificate, which is this one: -----BEGIN CERTIFICATE----- MIIC8TCCAdmgAwIBAgIQNmL4pIUXFpRBUK7QhJR/JjANBgkqhkiG9w0BAQUFADAg MR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFHSjgwHhcNMTAxMjIzMjAzOTU0 WhcNMjAxMjIwMjAzOTU0WjAgMR4wHAYDVQQDExVXTVN2Yy1XSU4tRUVCSExDODFH SjgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD6CNzdS+lWquEQndmY R1XY6cEqeMSB6YVSxXFAARRsdLQceCIpZbD5CijYklx874gOokTwSzZ7EJ6QSPUL jItM5PRlkeh0twrVEU5UTeqybAnVEciL5oVy6EPm4niYweAJrf5QCtPcORtt2Kjs xYAX2Ltl7mjvi+QM+XwDX0LKWyIjpYTZXB/5XRnpzUuBw3pDx+z4fWk8SFqN4Ptb /7fZSoxI6VeuTvrgS4aMyjsPylPnpXVAFYOcxketS0D1F9m0z5t3eD3hXesgbCHS svy0gACF3qvarJiE6MVDaJ/tlX408G9V3gEHpCCrk+yL5FiT/dtr7tNlWMt+o9D4 5/kNAgMBAAGjJzAlMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwQHAwUAsAAA ADANBgkqhkiG9w0BAQUFAAOCAQEAYvuUspk2lHiP3IM4maY2DOH0UfSsldyqOICP ue3xmqNnkhN7QBe8GIcsKt3fiozC7L+zcxdIY6L7WgGx1+aK8f3AKl/FojPegMhC WsgNy5WsR+jLUduclZDGf4qXxo9Vs1qXeP4qYZOa1rtqiBfFaQsxs4+XyFHdaB8N HzviKd8NSeCn+ZfUTKYlErUAL+qtLaQQTqVvBVnwR9yT74izZ48f0mX8zHYMFJIk mokioFqzl2ZVF98JBLSy6sNTZfO+eg98g3uDVRwq9JyvsWp1OJ94BvoXFZX7ETDM Z53Hp5s3YUNRptlIvzre/foKg4MZB8BNUsEUdgaGOeoXho7jDA== -----END CERTIFICATE----- It's seemingly self-signed, but then again -- not. When I call openssl: $ openssl verify -CApath /dev/null -CAfile weird.crt weird.crt weird.crt: /CN=WMSvc-WIN-EEBHLC81GJ8 error 20 at 0 depth lookup:unable to get local issuer certificate Interestingly the lookup fails at depth 0 (!). If a parent certificate were missing, I'd expect a lookup fail at depth 1. When I create a self-signed certificate: $ openssl req -new -x509 -nodes -out foobar.crt And check it then: $ openssl verify -CApath /dev/null -CAfile foobar.crt foobar.crt foobar.crt: OK I'm puzzled and before jumping to conclusions wanted to ask you first what you think of that. Best regards, Johannes ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
