Hi Steve,
I've attached three certificate collections: two that fail (where subject ==
issuer) and one that works around the problem (where subject != issuer). In my
personal testing (on OS X), OpenSSL 0.9.8zd (installed by the OS) works on all
three collections, whereas OpenSSL 1.0.2d (installed via MacPorts) fails on the
fail*.tar.gz ones. You can see the problem with the following:
% tar xpvf ~/Desktop/fail1.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
> -CAfile tls/ca.pem -tls1 &
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 -CAfile tls/ca.pem -tls1 &
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 -CAfile tls/ca.pem -tls1 &
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
> -cert tls/cert.pem -CAfile tls/ca.pem -tls1 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 wrote:
> On Tue Aug 04 18:25:25 2015, m...@bogosian.net wrote:
>>
>> Please let me know if you have any questions, and I'd be happy to
>> elaborate.
>>
>
> Can you attach examples of the two certificates (EE and CA) that exhibit this
> problem?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
fail1.tar.gz
Description: GNU Zip compressed data
fail2.tar.gz
Description: GNU Zip compressed data
succ.tar.gz
Description: GNU Zip compressed data
signature.asc
Description: PGP signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev