Dear OpenSSL developers,

There are two bugs (1311 & 1422) about X509_NAME_cmp in the RT database,
both discussing that X509_NAME_cmp is not a valid metric anymore:

a < b && a < c does not mean that a < c

While this problem might seem minor (the two bugs were reported back in
2006 and are not even targeted for a release) they can actually cause
X.509 certificate validation to fail. This failure is subtle and
difficult to track down: error reports do not help much as the only
error reported back to the application is "unable to get local issuer
certificate" even though the trusted CA certificate is in the proper
place.

In my case I was loading 123 CA certificates to an X509_STORE and the
subsequent X.509 certificate validation failed, even though the trusted
root CA that signed the certificate being validated was there. The
solution was to remove one of CA certificates (seemingly randomly).

The problem is that X509_STORE->objs is a sorted stack and lookups
perform a binary search on it. However since X509_NAME_cmp() is broken,
this lookup does not always work.

This affects all applications that use a large number of CA certificates
and which care about loading all those certificates themselves instead
of relying on X509_LOOKUP_hash_dir()

Please consider increasing the priority of this bug.

Thanks in advance,

--
Bazsi

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org