Certificate verify failed on big-endian (Intel IXP425)
A few days ago I posted to openssl.users the message i attach below.
I have done some more research and after seeing that the ssl code works
on a little endian pc with 0.9.6, the problem is:
- with the big-endian Intel IXP425 ARM running 0.9.6
- the code of the application (SER, voip proxy, with TLS).
I have seen a few discussions about endiannes, about some test failing
The next thing i would like to try is to cross-compile OpenSSL 0.9.7
for the IXP425 and install the new libraries.
What is the safest way to avoid all conflicts, even big a
Certificate verify failed ... incompatible versions 0.9.6m-engine and
I am testing an application, which is a server and a client at the same
time, connecting or receiving connections from the same application
running on other machines.
It all worked fine as long as:
- All used v.0.9.7d
- All of them were running on a i386 pc on debian linux (kernel 2.6.x).
Now ... i managed to get the application to run on an ARM embedded
system (intel ixp425, but different host byte order), which for now
only has openssl version 0.9.6m installed.
As said, it all would work fine ... till this ARM with openssl 0.9.6
came into play. Now, I cannot connect or accept connections from/to the
If i do an ssl_connect (to a pc-based host), i get:
* error: 14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed ... on the ARM-host
If i do an ssl_accept (incoming connect from a pc-based host to the
arm-host), i get:
* error: 140890B2: SSL routines: SSL3_GET_SERVER_CERTIFICATE: no
certificate returned ... on the ARM-host
I have set VERIFY_PEER and VERIFY_PEER_ONCE, with no verification
callback (pointer set to NULL).
The certificates and configurations work (root CA is self-signed;
server certificates, also used as client certs, are directly signed by
root CA, and contain some private X509v3 extensions).
On the ARM host i cannot do "openssl verify" ... i only have the
libraries, not the binaries for the platform.
Things i thought about: i am missing something which 0.9.7 does
automatically and 0.9.6 doesn't; a question of byte-order on the hosts;
the x509v3 private extensions; the self-signed root ca cert in 0.9.6;