[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: Problem verifying certificates [was: CPS object .....]
From:       George Staikos <staikos () 0wned ! org>
Date:       2001-07-25 14:53:21
[Download RAW message or body]

On Wednesday 25 July 2001 05:55, Jean-Marc Desperrier wrote:
> George Staikos wrote:
> > On Tuesday 24 July 2001 20:26, George Staikos wrote:
> > >    I've been noticing many problems with some new certificates which
> > > are being issued by Entrust and Verisign.
> >
> >    Actually I looked it over more closely and it's not that a "/CPS"
> > field is there, but that they have "www.verisign.com/CPS" in the OU
> > field.  Anyhow, things are very corrupt still.  Text output of one of
> > these certs results in lots of garbage.
>
> Verisign certificates have this since very long.
> This is not the source of your problem.
>
> You should send the certificate to the list to get a diagnostic of what is
> going wrong.
>
> I'm surprised about what you're describing, are you sure this is not just a
> stupid error like forgetting to use the -inform der parameter ?

   Ok here are the der-encoded certificates extracted from cert7.db for 
Verisign and Equifax (note it's _not_ entrust as I mistakenly said above).  I 
don't remember which is the exact correct one for Verisign so I sent all the 
class 3 certificates.  

I also attached wellsfargo.pem and ibm.pem along with text versions.  These 
were the certificates presented in a web session which I captured and saved 
to disk.

Trying to verify these pem files against the CA files I gave fails.  Netscape 
can verify them just fine though, and all certificates I've come across which 
aren't signed by these CA files seem to work fine too.  A lot of people have 
seen this problem recently.

The wellsfargo.txt looks very corrupt to me btw.  As does the Equifax CA file 
(#26).

-- 

George Staikos

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic