https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html
The linked documents didn’t say the APIs must be called on *client* side, and it works fine in my code on both client and server side. I am under the impression that there is no asymmetry in terms of *sending* side chain building for client and server side, what you said below means client side always sends *partial* chain to server side? Thanks. From: Salz, Rich via openssl-users<mailto:openssl-users@openssl.org> Sent: Friday, April 21, 2017 3:37 PM To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: Re: [openssl-users] Certificate chain validation You are asking two different questions. The certificates that the *client* sends are specified by the various “use certficiate” API’s. No chain is built. See doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain file” API. As for what the *server* does, it tries to use what the client sends and build a chain up to one of the certificates that is in the local, server, trust store. The API’s are a bit different for 1.0.2 than for 1.1.0
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
