Certtificate chain broken

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Certtificate chain broken

Mithun Kumar
Hello All,

I am trying working on getting my client connected to Microsoft SQL Server. Handshake fails after server hello. I keep getting error Subject Issuer Mismatch

int X509_check_issued(X509 *issuer, X509 *subject)
{
    if(X509_NAME_cmp(X509_get_subject_name(issuer),
            X509_get_issuer_name(subject)))
                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;





Here are my certificate chain details

Root Certificate----

Subject Name:- CN = nc-panthers , DC = sso, DC = raldev, DC = com

Issuer Name :- CN = nc-panthers , DC = sso , DC = raldev , DC = com


---------------------------------------------------


Client certificate which is signed by root certificate.


Subject Name :-  CN = nc-win2008x64.americas.prog.com , OU = QA , O = DD , L = Morrisville, S = NC , C = US

Issue Name :- CN = nc-panthers , DC = sso, DC = raldev, DC = com


I am confused, is the chain broken?  Any inputs will be of great help

-mithun



Reply | Threaded
Open this post in threaded view
|

Re: Certtificate chain broken

Ryan Hurst-3
I think the only cases you will get this are:
A. Name miss match in certificates exist, it's a binary compare so then smallest change can cause this.

B. key miss match, name looks good bit keys are bit as expected.

Ryan
Sent from my iPhone

On Aug 9, 2012, at 4:18 AM, Mithun Kumar <[hidden email]> wrote:

Hello All,

I am trying working on getting my client connected to Microsoft SQL Server. Handshake fails after server hello. I keep getting error Subject Issuer Mismatch

int X509_check_issued(X509 *issuer, X509 *subject)
{
    if(X509_NAME_cmp(X509_get_subject_name(issuer),
            X509_get_issuer_name(subject)))
                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;





Here are my certificate chain details

Root Certificate----

Subject Name:- CN = nc-panthers , DC = sso, DC = raldev, DC = com

Issuer Name :- CN = nc-panthers , DC = sso , DC = raldev , DC = com


---------------------------------------------------


Client certificate which is signed by root certificate.


Subject Name :-  CN = nc-win2008x64.americas.prog.com , OU = QA , O = DD , L = Morrisville, S = NC , C = US

Issue Name :- CN = nc-panthers , DC = sso, DC = raldev, DC = com


I am confused, is the chain broken?  Any inputs will be of great help

-mithun



Reply | Threaded
Open this post in threaded view
|

Re: Certtificate chain broken

Mithun Kumar


Thanks for the quick reply , Can you please elaborate?



On Thu, Aug 9, 2012 at 1:53 AM, Ryan Hurst <[hidden email]> wrote:
I think the only cases you will get this are:
A. Name miss match in certificates exist, it's a binary compare so then smallest change can cause this.

B. key miss match, name looks good bit keys are bit as expected.

Ryan
Sent from my iPhone

On Aug 9, 2012, at 4:18 AM, Mithun Kumar <[hidden email]> wrote:

Hello All,

I am trying working on getting my client connected to Microsoft SQL Server. Handshake fails after server hello. I keep getting error Subject Issuer Mismatch

int X509_check_issued(X509 *issuer, X509 *subject)
{
    if(X509_NAME_cmp(X509_get_subject_name(issuer),
            X509_get_issuer_name(subject)))
                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;





Here are my certificate chain details

Root Certificate----

Subject Name:- CN = nc-panthers , DC = sso, DC = raldev, DC = com

Issuer Name :- CN = nc-panthers , DC = sso , DC = raldev , DC = com


---------------------------------------------------


Client certificate which is signed by root certificate.


Subject Name :-  CN = nc-win2008x64.americas.prog.com , OU = QA , O = DD , L = Morrisville, S = NC , C = US

Issue Name :- CN = nc-panthers , DC = sso, DC = raldev, DC = com


I am confused, is the chain broken?  Any inputs will be of great help

-mithun




Reply | Threaded
Open this post in threaded view
|

Re: Certtificate chain broken

Mithun Kumar
i will elaborate, for


X509_get_subject_name(issuer) = " CN = nc-win2008x64.americas.prog.com , OU = QA , O = DD , L = Morrisville, S = NC , C = US"

X509_get_issuer_name(subject) = "Issue:- CN = nc-panthers , DC = sso, DC = raldev, DC = com"

This is causing subject name and issuer name mismatch. Any inputs what should be the correct way for chained certificates.

-mithun





On Thu, Aug 9, 2012 at 2:15 AM, Mithun Kumar <[hidden email]> wrote:


Thanks for the quick reply , Can you please elaborate?




On Thu, Aug 9, 2012 at 1:53 AM, Ryan Hurst <[hidden email]> wrote:
I think the only cases you will get this are:
A. Name miss match in certificates exist, it's a binary compare so then smallest change can cause this.

B. key miss match, name looks good bit keys are bit as expected.

Ryan
Sent from my iPhone

On Aug 9, 2012, at 4:18 AM, Mithun Kumar <[hidden email]> wrote:

Hello All,

I am trying working on getting my client connected to Microsoft SQL Server. Handshake fails after server hello. I keep getting error Subject Issuer Mismatch

int X509_check_issued(X509 *issuer, X509 *subject)
{
    if(X509_NAME_cmp(X509_get_subject_name(issuer),
            X509_get_issuer_name(subject)))
                return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;





Here are my certificate chain details

Root Certificate----

Subject Name:- CN = nc-panthers , DC = sso, DC = raldev, DC = com

Issuer Name :- CN = nc-panthers , DC = sso , DC = raldev , DC = com


---------------------------------------------------


Client certificate which is signed by root certificate.


Subject Name :-  CN = nc-win2008x64.americas.prog.com , OU = QA , O = DD , L = Morrisville, S = NC , C = US

Issue Name :- CN = nc-panthers , DC = sso, DC = raldev, DC = com


I am confused, is the chain broken?  Any inputs will be of great help

-mithun





Reply | Threaded
Open this post in threaded view
|

RE: Certtificate chain broken

Dave Thompson-5
>From: [hidden email] On Behalf Of Mithun Kumar
>Sent: Wednesday, 08 August, 2012 16:53
Note: individual recipient dropped; that's poor netiquette
unless requested, which AFAICS it wasn't.
I think this should be -users not -dev, so I added -users back.

>i will elaborate, for
>X509_get_subject_name(issuer) = " CN = nc-win2008x64.americas.prog.com , OU
= QA , O = DD , L = Morrisville, S = NC , C = US"
>X509_get_issuer_name(subject) = "Issue:- CN = nc-panthers , DC = sso, DC =
raldev, DC = com"
[in X509_check_issued]

Is that really your client cert, as you said in your first post,
or your *server* cert? That CN form is typical for a server. If so,
this is almost certainly the first call made in x509_verify_cert
(x509_vfy.c line 207 in 1.0.1c) to test IF the cert is self-issued.
Since your cert is obviously not self-issued, it is entirely correct
this particular call should return an "error"; the calling code
just uses that "error" to decide what to do next, it doesn't fail.
You need to investigate what happens *next*; X509_verify_cert should
proceed to build out the chain, which in your case should be one more
cert (the root), and then verify the chain.

If it's really your client cert, then ssl3_output_cert_chain
uses X509_verify_cert to build out the chain (but not really
verify it) so it similarly should mismatch on the first call,
and should then proceed to build the chain if it can.

Can you use (or are you using) commandline s_client to test?
That can display a good deal of information about what is
happening (at least -state, possibly -msg or -debug) which
may narrow this down faster than stepping through code.

>This is causing subject name and issuer name mismatch. Any inputs
>what should be the correct way for chained certificates.

>On Thu, Aug 9, 2012 at 1:53 AM, Ryan Hurst <[hidden email]>
wrote:

>I think the only cases you will get this are:
>A. Name miss match in certificates exist, it's a binary compare so
>then smallest change can cause this.

Not entirely. The X509_name_cmp comparison is an exact compare
of *canonicalized* copies of the DN. This allows for some minor
encoding differences. But nothing more than that.

>B. key miss match, name looks good bit keys are bit as expected.

I don't know what that was supposed to mean. X509_check_issued
also checks AKI if present, but not at the source line OP cited.
It doesn't check actual key values, or signatures, at all.
The *calling* routine, X509_verify_cert, does check signatures
(at least normally, it's a pointer you might be able to override)
which implicitly checks issuer keys and signatures are supported.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]