On 19/06/2015 16:24, Ben Humpert wrote:
When the CSR contains an email address and the email_in_dn setting in the config file is set to "no" the email address is actually present in the issuer DN but not in the subject DN. This causes errors when verifying certificate chains since the subject hash is used to identify a cert but the issuer hash is different.
Are you sure, I have not seen this behavior in current versions when making self-signed certificates, could you provide step by step reproduction procedures to cause this misbehavior?
A dirty workaround is to 1) link the subject hash to the cert file and additionally 2) link the issuer hash to the same cert file
Such a workaround would be absolutely no help for anyone using any other crypto library to verify the certificate chain.
If OpenSSL certificate verification accepts an invalid certificate chain by simply linking from the wrong hash to a certificate with a different subject, then that is a minor security vulnerability in the verification code in OpenSSL, as that would also make it fail for any fake issuer name chosen to have the same (non-cryptographic) hash as an already trusted certificate. The limitation of such a vulnerability would be that the cryptographic keys still need to match. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
