[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: isakmpd & ca cert woes

To: Philipp Buehler <lists@fips.de>
Subject: Re: isakmpd & ca cert woes
From: Damien Miller <djm@mindrot.org>
Date: Thu, 12 Jul 2001 16:21:15 +1000 (EST)
Cc: <tech@openbsd.org>

On Thu, 12 Jul 2001, Philipp Buehler wrote:

> On 11/07/2001, Damien Miller <djm@mindrot.org> wrote To tech@openbsd.org:
> > I couldn't for the life of me figure out why authentication was failing
> > (with error "rsa_sig_decode_hash: received CERT can't be validated"),
> > until I synced the clocks.
>
> error-messages :P
>
> Wouldn't it possible to give the reason *why* the validation failed?
> Or is the time already in a whole hashchunk, so it cant be determined
> which part is wrong?

The validation check happens deep inside X509_verify_cert() in libcrypto.
It should be possible to add some verbosity, but OpenSSL's error reporting
functions make my head spin.

-d

-- 
| Damien Miller <djm@mindrot.org> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org          /   distributed filesystem'' - Dan Geer

Follow-Ups:
- Re: isakmpd & ca cert woes
  - From: Shoichi Sakane <sakane@kame.net>

References:
- Re: isakmpd & ca cert woes
  - From: Philipp Buehler <lists@fips.de>

Prev by Date: weird network problem between 2.9-stable machines
Next by Date: Re: Exim and IPv6 Help
Prev by thread: Re: isakmpd & ca cert woes
Next by thread: Re: isakmpd & ca cert woes
Index(es):
- Date
- Thread