Hello,
some time now I'm having problems with X509_verify() from
openssl-1.0.0-27.el6_4.2.i686 shipped with latest RHEL 6. The problem is
that a self-signed certificate that I generate and verify on the server
side, fails to verify on the client side after the TLS handshake.
Since this works fine with latest OpenSSL I assumed it's a bug in OpenSSL
and did a git-bisect. The commit that fixes it seems to be:
commit 39239280f3576f3418dadbf751bc7a2bb3252d4e
Author: Dr. Stephen Henson <st...@openssl.org>
Date: Sun Oct 3 18:58:09 2010 +0000
Add call to ENGINE_register_all_complete() to
ENGINE_load_builtin_engines(), this means that some implementations will
be used automatically, e.g. aesni, we do this for cryptodev anyway.
Setup cpuid in ENGINE_load_builtin_engines() too as some ENGINEs use
it.
This commit contains the following description in CHANGES:
+ *) Don't reencode certificate when calculating signature: cache and use
+ the original encoding instead. This makes signature verification of
+ some broken encodings work correctly.
Can you please explain me what a "broken" encoding is, and how I might
be using it? How can I self-sign a certificate that can be verified in old
versions as well?
Thank you in advance,
Dimitris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
