Hi Steve,
I've attached three certificate collections: two that fail (where subject ==
issuer) and one that works around the problem (where subject != issuer). In my
personal testing (on OS X), OpenSSL 0.9.8zd (installed by the OS) works on all
three collections, whereas OpenSSL 1.0.2d (installed via MacPorts) fails on the
fail*.tar.gz ones. You can see the problem with the following:
% tar xpvf ~/Desktop/fail1.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
-CAfile tls/ca.pem -tls1
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
-cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 /O=Boot2Docker
verify return:1
depth=0 /O=Boot2Docker
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
-cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # fails
depth=0 O = Boot2Docker
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Boot2Docker
verify error:num=21:unable to verify the first certificate
verify return:1
...
% tar xpvf ~/Desktop/fail2.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
-CAfile tls/ca.pem -tls1
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
-cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 /O=b2d
verify return:1
depth=0 /O=b2d
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
-cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # fails
depth=0 O = b2d
verify error:num=18:self signed certificate
verify return:1
depth=0 O = b2d
verify error:num=21:unable to verify the first certificate
verify return:1
...
% tar xpvf ~/Desktop/succ.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
-CAfile tls/ca.pem -tls1
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
-cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 /O=Boot2DockerCA
verify return:1
depth=0 /O=Boot2Docker
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
-cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 O = Boot2DockerCA
verify return:1
depth=0 O = Boot2Docker
verify return:1
...
—Matt
On Aug 4, 2015, at 17:05, Stephen Henson via RT r...@openssl.org wrote:
On Tue Aug 04 18:25:25 2015, m...@bogosian.net wrote:
Please let me know if you have any questions, and I'd be happy to
elaborate.
Can you attach examples of the two certificates (EE and CA) that exhibit this
problem?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
fail1.tar.gz
Description: GNU Zip compressed data
fail2.tar.gz
Description: GNU Zip compressed data
succ.tar.gz
Description: GNU Zip compressed data
signature.asc
Description: PGP signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev