Dear All, I am working on an embedded product which has the OpenSSL 0.9.8w library and acts as a client. It is communicating with another product which has the OpenSSL 0.9.8e library and acts as a server.
A customer has supplied the client certificate for the server and the associated root CA that signed the client certificate. The client certificate is installed on the server, the root CA is installed on the client, and the client is authenticating the server. Unfortunately, the client is failing the authentication with the error 20 cant find local issuer certificate. Having spent sometime investigating why this is, I found the server certificate has the issuer in the form C=... ST=... L=... O=... OU=... CN=... and the root CA has the identical string for both issuer and subject in the reverse order CN=... OU=... O=... L=... St.. C... As a result X509_Name_cmp fails the comparison. I thought the ordering of the distinguished name in X509 is unimportant, yet it appears to be in OpenSSL. Is this true? I have trawled the web and found the following statement... According to X.500, both forms should be acceptable and a order-insensitive way to compare DN is defined. Unfortunately, looking up in their keystore for trusted certificates, many libraries compare issuer DN in the same order they are encoded. This problem affects especially OpenSSL-based software, which computes hash on DN to speed up certificate search. My reason for seeking assistance is to have the facts so that I can present them to the customer and suggest any restrictions that may be appropriate to the creation of the certificates. Thank you for your assistance and I look forward to your response. Thanks.. John John Simner BSc(Hons) MSc CEng. MIET Software Engineer Siemens Enterprise Communications Limited Tel: + 44 (0) 1908 817378 Please Note New Telephone number from 11/09/10: + 44 (0) 1908 817378 Email: john.sim...@siemens-enterprise.com www.siemens.co.uk/enterprise<http://www.siemens.co.uk/enterprise> Communication for the open minded<blocked::blocked::http://www.siemens.co.uk/open> Siemens Enterprise Communications Limited. Registered office: Brickhill Street, Willen Lake, Milton Keynes, MK15 0DJ. Registered No: 5903714, England. Siemens Enterprise Communications Ltd is a Trademark Licensee of Siemens AG. This communication contains information which is confidential and may also be privileged. It is for the exclusive use of the addressee. If you are not the addressee please note that any distribution, reproduction, copying, publication or use of this communication or the information is prohibited. If you have received this communication in error, please contact us immediately and also delete the communication from your computer. We accept no liability for any loss or damage suffered by any person arising from use of this email. P Please consider the environment - do you really need to print this email?
