Re: [openssl-users] Load secrets to context.
>> Scenario 1 - Failing case >> >> SSL_CTX_use_certificate_file() : Loaded cert_file >> SSL_CTX_use_certificate_chain_file() : Loaded chain_file > > Doing this makes no sense. If you're loading the complete chain > file, there's no reason to first load just the certificate. > > Just use SSL_CTX_use_certificate_chain_file(3), debugging incorrect > usage is not a good use of time. The best I can tell, its not an correct configuration. The NOTES section says SSL_CTX_use_certificate_chain_file should be preferred, but its not forbidden. Confer, https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html . Perhaps its best to address the problem rather than attacking the user. Its OK to disregard the feedback you are getting, but please don't attack the users. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
On Wed, Jul 27, 2016 at 10:25:42PM +0530, john gloster wrote: > Scenario 1 - Failing case > > SSL_CTX_use_certificate_file() : Loaded cert_file > SSL_CTX_use_certificate_chain_file() : Loaded chain_file Doing this makes no sense. If you're loading the complete chain file, there's no reason to first load just the certificate. Just use SSL_CTX_use_certificate_chain_file(3), debugging incorrect usage is not a good use of time. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
On Wed, Jul 27, 2016, john gloster wrote: > Thanks Victor. > > Could you explain the reason in below cases? These are in cases when we use > both the APIs as mentioned above. > > cert_file : Server's certifcate > chain_file: Complete certificate chain; starting with Server's certifcate, > followed by intermediate CA certificate and ending with Root CA certificate > > > Scenario 1 - Failing case > > SSL_CTX_use_certificate_file() : Loaded cert_file > SSL_CTX_use_certificate_chain_file() : Loaded chain_file > > Test: When tried to connect to the server, only Server's certificate and > Root CA certificate were presented in the CERTIFICATE message of the > handshake; intermediate CA certificates were missing. > > Do you get an error from either function? Do you get the same behaviour if you omit SSL_CTX_use_certificate_chain_file()? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
Thanks Victor.
Could you explain the reason in below cases? These are in cases when we use
both the APIs as mentioned above.
cert_file : Server's certifcate
chain_file: Complete certificate chain; starting with Server's certifcate,
followed by intermediate CA certificate and ending with Root CA certificate
Scenario 1 - Failing case
SSL_CTX_use_certificate_file() : Loaded cert_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file
Test: When tried to connect to the server, only Server's certificate and
Root CA certificate were presented in the CERTIFICATE message of the
handshake; intermediate CA certificates were missing.
Scenario 2 - Successful case
SSL_CTX_use_certificate_file() : Loaded chain_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file
Test: When tried to connect to the server, complete certificate chain was
presented in the CERTIFICATE message of the handshake.
On Wed, Jul 27, 2016 at 10:08 PM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:
> On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote:
>
> > Can we use both the following APIs in the same application to load
> > certificate to the SSL context?
> >
> > *SSL_CTX_use_certificate_file()*
> > *SSL_CTX_use_certificate_chain_file()*
>
> For any given certificate chain use either one or the other, but
> in many cases SSL_CTX_use_certificate_chain_file() is the more
> convenient choice.
>
> > If we can how to use them?
>
> ERR_clear_error();
> if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
> /* Handle error */
> }
> if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
> {
> /* Handle error */
> }
> if (!SSL_CTX_check_private_key(ctx)) {
> /* Handle error */
> }
> /* Success */
>
> See the SSL_CTX_use_certificate(3) manpage for a more detailed
> description.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote:
> Can we use both the following APIs in the same application to load
> certificate to the SSL context?
>
> *SSL_CTX_use_certificate_file()*
> *SSL_CTX_use_certificate_chain_file()*
For any given certificate chain use either one or the other, but
in many cases SSL_CTX_use_certificate_chain_file() is the more
convenient choice.
> If we can how to use them?
ERR_clear_error();
if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
/* Handle error */
}
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
/* Handle error */
}
if (!SSL_CTX_check_private_key(ctx)) {
/* Handle error */
}
/* Success */
See the SSL_CTX_use_certificate(3) manpage for a more detailed
description.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
