certificate verification error OpenSSL 1.1.1

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

certificate verification error OpenSSL 1.1.1

shiva kumar

when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL 1.1.1 there is slight change in the behavior it also gives the same error, but instead of OK it gives different error as "ca.crt: verification failed"  as follows.

 

in OpenSSL 1.0.2

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

OK


in OpenSSL 1.1.1 

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

error /tmp/1.1/conf/ssl.crt/ca.crt: verification failed

# echo $?

2


why I'm getting this error? is this an expected behavior in OpenSSL 1.1.1?

Please answer my question.




--
With Best Regards
Shivakumar S
Reply | Threaded
Open this post in threaded view
|

Re: certificate verification error OpenSSL 1.1.1

shiva kumar
Hi,
Please help me, is this an expected behavior?

On Mon, Mar 2, 2020 at 1:48 PM shiva kumar <[hidden email]> wrote:

when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL 1.1.1 there is slight change in the behavior it also gives the same error, but instead of OK it gives different error as "ca.crt: verification failed"  as follows.

 

in OpenSSL 1.0.2

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

OK


in OpenSSL 1.1.1 

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

error /tmp/1.1/conf/ssl.crt/ca.crt: verification failed

# echo $?

2


why I'm getting this error? is this an expected behavior in OpenSSL 1.1.1?

Please answer my question.




--
With Best Regards
Shivakumar S


--
With Best Regards
Shivakumar S
Reply | Threaded
Open this post in threaded view
|

Re: certificate verification error OpenSSL 1.1.1

Dmitry Belyavsky-3
First, I recommend you not to hurry up :)

Second, the validation procedures have changed between 1.0.2 and 1.1.1, 1.1.1 checks more strictly.
E.g., a self-signed certificate without "CA:TRUE" will be treated as valid CA cert in 1.0.2 but not valid in 1.1.1



On Mon, Mar 2, 2020 at 12:01 PM shiva kumar <[hidden email]> wrote:
Hi,
Please help me, is this an expected behavior?

On Mon, Mar 2, 2020 at 1:48 PM shiva kumar <[hidden email]> wrote:

when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL 1.1.1 there is slight change in the behavior it also gives the same error, but instead of OK it gives different error as "ca.crt: verification failed"  as follows.

 

in OpenSSL 1.0.2

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

OK


in OpenSSL 1.1.1 

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

error /tmp/1.1/conf/ssl.crt/ca.crt: verification failed

# echo $?

2


why I'm getting this error? is this an expected behavior in OpenSSL 1.1.1?

Please answer my question.




--
With Best Regards
Shivakumar S


--
With Best Regards
Shivakumar S


--
SY, Dmitry Belyavsky
Reply | Threaded
Open this post in threaded view
|

Re: certificate verification error OpenSSL 1.1.1

shiva kumar
Hi,
can you please tell me more about 
1) How to verify a self signed (.crt) key in OpenSSL 1.1.1?
2) Is key generated by OpenSSL 1.0.2 can be used to connect with OpenSSL 1.1.1 and vice versa?

Thanks and regards
Shivakumar

On Mon, Mar 2, 2020 at 2:36 PM Dmitry Belyavsky <[hidden email]> wrote:
First, I recommend you not to hurry up :)

Second, the validation procedures have changed between 1.0.2 and 1.1.1, 1.1.1 checks more strictly.
E.g., a self-signed certificate without "CA:TRUE" will be treated as valid CA cert in 1.0.2 but not valid in 1.1.1



On Mon, Mar 2, 2020 at 12:01 PM shiva kumar <[hidden email]> wrote:
Hi,
Please help me, is this an expected behavior?

On Mon, Mar 2, 2020 at 1:48 PM shiva kumar <[hidden email]> wrote:

when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL 1.1.1 there is slight change in the behavior it also gives the same error, but instead of OK it gives different error as "ca.crt: verification failed"  as follows.

 

in OpenSSL 1.0.2

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

OK


in OpenSSL 1.1.1 

openssl verify ./ca.crt 

error 18 at 0 depth lookup:self signed certificate

error /tmp/1.1/conf/ssl.crt/ca.crt: verification failed

# echo $?

2


why I'm getting this error? is this an expected behavior in OpenSSL 1.1.1?

Please answer my question.




--
With Best Regards
Shivakumar S


--
With Best Regards
Shivakumar S


--
SY, Dmitry Belyavsky


--
With Best Regards
Shivakumar S
Reply | Threaded
Open this post in threaded view
|

Re: certificate verification error OpenSSL 1.1.1

Viktor Dukhovni
In reply to this post by shiva kumar
On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:

> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
> 1.1.1 there is slight change in the behavior it also gives the same error,
> but instead of OK it gives different error as "*ca.crt: verification failed*"
> as follows.

The 1.1.1 behaviour is correct.  But you also don't seem to have a clear
idea of what it means to "verify" a self-signed certificate.  Indeed
most likely you don't actually want to verify it at all, and are really
trying to solve other problem, which you've decided involves verifying
the certificate in question.  So it is likely best to describe the
*actual* issue you're trying to solve.

However, that said:

> openssl verify ./ca.crt

This command verifies the certificate in question by trying to find in
the default store a chain of issuers leading up to a trust anchor
(typically a self-signed root CA).

But a self-signed certificate is self-issued, so unless it is itself
present in the trust store, no possible issuer can be found there.  So
verification must always fail, and so it does.

> why I'm getting this error?

Well ultimately because you don't know what you're trying to do,
but specifically because the certificate is not issued by an
already trusted issuer.

> is this an expected behavior in OpenSSL 1.1.1?

Yes.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: certificate verification error OpenSSL 1.1.1

OpenSSL - User mailing list
On 2020-03-03 08:19, Viktor Dukhovni wrote:

> On Mon, Mar 02, 2020 at 01:48:20PM +0530, shiva kumar wrote:
>
>> when I tried to verify the the self signed certificate in OpenSSL 1.0.2 it
>> is giving error 18 and gives OK as o/p, when I tried the same with OpenSSL
>> 1.1.1 there is slight change in the behavior it also gives the same error,
>> but instead of OK it gives different error as "*ca.crt: verification failed*"
>> as follows.
> The 1.1.1 behaviour is correct.  But you also don't seem to have a clear
> idea of what it means to "verify" a self-signed certificate.  Indeed
> most likely you don't actually want to verify it at all, and are really
> trying to solve other problem, which you've decided involves verifying
> the certificate in question.  So it is likely best to describe the
> *actual* issue you're trying to solve.
Depends heavily if you formally interpret a self-signed and self-issued
end cert as a CA issuing itself (thus requiring CA:TRUE and making it
invalid as an end cert) or as an end cert with no separate CA chain
(thus requiring CA:FALSE and making it not trusted as a CA for any other
certificate).

Either way, the typical case is to use such a self-signed and self-issued
cert in the various OpenSSL supported protocols (SSL, TLS, CMS etc.)

> However, that said:
>
>> openssl verify ./ca.crt
> This command verifies the certificate in question by trying to find in
> the default store a chain of issuers leading up to a trust anchor
> (typically a self-signed root CA).
>
> But a self-signed certificate is self-issued, so unless it is itself
> present in the trust store, no possible issuer can be found there.  So
> verification must always fail, and so it does.
>
>> why I'm getting this error?
> Well ultimately because you don't know what you're trying to do,
> but specifically because the certificate is not issued by an
> already trusted issuer.
>
>> is this an expected behavior in OpenSSL 1.1.1?
> Yes.
>
Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded