Sorry, accidentally skipped that part, which was sort of important. I think I can use the same fix because the part I skipped is the problem:
X509 *cert; cert = PEM_read_X509(fp, NULL, 0, NULL); status = X509_STORE_add_cert(trusted_store,cert); So, I need to this sequence: X509 *empty_X509; empty_X509 = X509_new_ex(non_fips_libctx, NULL); mycert = PEM_read_X509(fp, &empty_X509, 0, NULL); To set things up correct, with the appropriate library context. My apologies, thanks for pointing out my small brain. This could lead to some tricky changes as currently I set up the trust store before I know if the user wants FIPS or not. I may just set up two stores, or I need to change the order of how I do things. Thanks, Jason ________________________________ From: Tomas Mraz <to...@openssl.org> Sent: Friday, November 5, 2021 1:52 PM To: Jason Schultz <jetso...@hotmail.com>; openssl-users@openssl.org <openssl-users@openssl.org> Subject: Re: Establishing connection errors On Fri, 2021-11-05 at 13:48 +0000, Jason Schultz wrote: > For setting up the trusted store, when the application starts, it > calls: > > ssl_trusted_certs = X509_STORE_new() > > ...and then reads all of the certificates in /etc/ssl/certs/ calling > X509_STORE_add_cert(trusted_store,cert); > > ..for each one. How do you read the certs? They need to be loaded with the appropriate libctx. Or you can use for example X509_STORE_load_file_ex() function to load a file directly with an libctx. -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.]