Description of problem: Using the same valid CA set (attached ca-bundle.crt) and the latest version of openssl on RHEL3, the certificate is checked as not valid. Version-Release number of selected component (if applicable): $ openssl version OpenSSL 0.9.7a Feb 19 2003 How reproducible: Always. Steps to Reproduce: 1.openssl s_client -connect https_server:443 -CAfile ca-bundle.crt Actual results: depth=1 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify error:num=24:invalid CA certificate verify return:0 CONNECTED(00000003) (see attachement for more details - test_ko.txt) Expected results: depth=2 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware verify return:1 depth=1 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root verify return:1 depth=0 /C=DE/postalCode=35435/ST=Hessen/L=Wettenberg/streetAddress=Im Westpark 8/O=ibo Software/OU=Hosted by Secure-Netz/OU=Hosted by Secure-Netz/OU=InstantSSL/CN=projekte.ibo.de verify return:1 CONNECTED(00000003) (see attachement for more details - test_ok.txt) Additional info: The issue seems to be in the x509 validation code. However copying "crypto/x509/*" , "crypto/evp/evp.h" and "crypto/x509v3/v3_purp.c" from version 0.9.7f to version 0.9.7e fixed the problem.
Created attachment 133467 [details] test_ko : failure using RHEL3's openssl.
Created attachment 133468 [details] test_ok : success using RHEL4's openssl.
Created attachment 133470 [details] projekte.ibo.de site certificate
Created attachment 133741 [details] This patch should fix the issue The patch improves handling of certificates with EXFLAG_NSCERT set.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Fixed in openssl-0.9.7a-43.16.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0297.html