[openssl-dev] [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text

2015-10-15 Thread Stephen Henson via RT 
Fixed now, thanks for the report.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text

2015-08-05 Thread Stephen Henson via RT 
On Wed Aug 05 01:06:40 2015, m...@bogosian.net wrote:
 Hi Steve,

 I've attached three certificate collections: two that fail (where
 subject == issuer) and one that works around the problem (where
 subject != issuer).

OK thanks for the examples. The bug is that OpenSSL 1.0.2 is less strict about
what counts as a valid self signed certificate. Before 1.0.2 the certificate
had to have issuer and subject matching, if present AKID==SKID and
keyUsage (if present) had to include keyCertSign. For1.0.2 and later the
keyCertSign check is no longer present.

The attached patch should fix it. Let me know if it works for you.

A workaround (other than making subject != issuer) is to include SKID/AKID in
all certificates.

Regards, Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org



diffs.ss
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text

2015-08-04 Thread Stephen Henson via RT 
On Tue Aug 04 18:25:25 2015, m...@bogosian.net wrote:

 Please let me know if you have any questions, and I'd be happy to
 elaborate.


Can you attach examples of the two certificates (EE and CA) that exhibit this
problem?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text

2015-08-04 Thread Matt Bogosian via RT 
Later versions[1] of OpenSSL will (mistakenly) complain that if subject text == 
issuer text, then the certificate is self-signed (even if it isn't).

[1] I haven't narrowed down exactly which; 0.9.8 and 1.0.0 generally don't 
exhibit this problem, whereas 1.0.1 and 1.0.2 generally do.

A more detailed explanation (with examples) can be found here:

https://github.com/docker/compose/issues/890#issuecomment-127662092

Please let me know if you have any questions, and I'd be happy to elaborate.


Sincerely,
Matt Bogosian
+1.831.824.4442






signature.asc
Description: PGP signature
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3979] New OpenSSL issue: valid certificate fails validation where subject text == issuer text

2015-08-04 Thread Matt Bogosian via RT 
Hi Steve,

I've attached three certificate collections: two that fail (where subject == 
issuer) and one that works around the problem (where subject != issuer). In my 
personal testing (on OS X), OpenSSL 0.9.8zd (installed by the OS) works on all 
three collections, whereas OpenSSL 1.0.2d (installed via MacPorts) fails on the 
fail*.tar.gz ones. You can see the problem with the following:

% tar xpvf ~/Desktop/fail1.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
 -CAfile tls/ca.pem -tls1 
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 /O=Boot2Docker
verify return:1
depth=0 /O=Boot2Docker
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # fails
depth=0 O = Boot2Docker
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Boot2Docker
verify error:num=21:unable to verify the first certificate
verify return:1
...
% tar xpvf ~/Desktop/fail2.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
 -CAfile tls/ca.pem -tls1 
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 /O=b2d
verify return:1
depth=0 /O=b2d
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # fails
depth=0 O = b2d
verify error:num=18:self signed certificate
verify return:1
depth=0 O = b2d
verify error:num=21:unable to verify the first certificate
verify return:1
...
% tar xpvf ~/Desktop/succ.tar.gz
x tls/
x tls/ca.pem
x tls/cakey.pem
x tls/cert.pem
x tls/hostnames
x tls/key.pem
x tls/server.pem
x tls/serverkey.pem
% openssl s_server -www -key tls/serverkey.pem -cert tls/server.pem \
 -CAfile tls/ca.pem -tls1 
...
% openssl-0.9.8zd s_client -showcerts -connect localhost:4433 -key tls/key.pem \
 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 /O=Boot2DockerCA
verify return:1
depth=0 /O=Boot2Docker
verify return:1
...
% openssl-1.0.2d s_client -showcerts -connect localhost:4433 -key tls/key.pem \
 -cert tls/cert.pem -CAfile tls/ca.pem -tls1 /dev/null # works
depth=1 O = Boot2DockerCA
verify return:1
depth=0 O = Boot2Docker
verify return:1
...


—Matt


On Aug 4, 2015, at 17:05, Stephen Henson via RT r...@openssl.org wrote:

 On Tue Aug 04 18:25:25 2015, m...@bogosian.net wrote:
 
 Please let me know if you have any questions, and I'd be happy to
 elaborate.
 
 
 Can you attach examples of the two certificates (EE and CA) that exhibit this
 problem?
 
 Steve.
 --
 Dr Stephen N. Henson. OpenSSL project core developer.
 Commercial tech support now available see: http://www.openssl.org





fail1.tar.gz
Description: GNU Zip compressed data


fail2.tar.gz
Description: GNU Zip compressed data


succ.tar.gz
Description: GNU Zip compressed data




signature.asc
Description: PGP signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev