1.0.2beta2 and X.509 certificate verification

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

1.0.2beta2 and X.509 certificate verification

Roumen Petrov
Hello,
It seems me logic verification logic for X.509 certificates is changed
in a minor release.

$ cd <BUILDDIR>/test

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014
$ openssl verify certCA.ss; echo $?
certCA.ss: C = AU, O = Dodgy Brothers, CN = Dodgy CA
error 18 at 0 depth lookup:self signed certificate
OK
0

$ ../util/opensslwrap.sh version
OpenSSL 1.0.2-beta2-dev xx XXX xxxx
$ ../util/opensslwrap.sh verify certCA.ss; echo $?
certCA.ss: C = AU, O = Dodgy Brothers, CN = Dodgy CA
error 18 at 0 depth lookup:self signed certificate
C = AU, O = Dodgy Brothers, CN = Dodgy CA
error 20 at 0 depth lookup:unable to get local issuer certificate
2
===

There is extra error with code 20. This may break external applications
with custom verification callback.

For historic reasons exit code of openssl verify command is not used and
to me this is not so important.


Regards,
Roumen Petrov

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 1.0.2beta2 and X.509 certificate verification

Dr. Stephen Henson
On Mon, Mar 03, 2014, Roumen Petrov wrote:

> Hello,
> It seems me logic verification logic for X.509 certificates is
> changed in a minor release.
>
> $ cd <BUILDDIR>/test
>
> $ openssl version
> OpenSSL 1.0.1f 6 Jan 2014
> $ openssl verify certCA.ss; echo $?
> certCA.ss: C = AU, O = Dodgy Brothers, CN = Dodgy CA
> error 18 at 0 depth lookup:self signed certificate
> OK
> 0
>
> $ ../util/opensslwrap.sh version
> OpenSSL 1.0.2-beta2-dev xx XXX xxxx
> $ ../util/opensslwrap.sh verify certCA.ss; echo $?
> certCA.ss: C = AU, O = Dodgy Brothers, CN = Dodgy CA
> error 18 at 0 depth lookup:self signed certificate
> C = AU, O = Dodgy Brothers, CN = Dodgy CA
> error 20 at 0 depth lookup:unable to get local issuer certificate
> 2
> ===
>
> There is extra error with code 20. This may break external
> applications with custom verification callback.
>
> For historic reasons exit code of openssl verify command is not used
> and to me this is not so important.
>

Should be fixed now, thanks for the report.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]