On Thu, Jan 11, 2001 at 10:31:44PM -0500, Rob Neff wrote:
> Questions for the SSL code gurus:
>
> When using OpenSSL v.0.9.6 and calling
> SSL_CTX_use_certificate_chain_file() and supplying a .PEM file
> containing the server cert and signing certs, the signing root certs
> do not appear to be sent to the client when using s_client -showcerts.
> Is the chain file a series of concatenated PEM files similar to a file passed
> to SSL_CTX_load_verify_locations()? Does one need to make additional
> function call(s)? I am not getting an error return from the chain call.
> I've read the help docs linked around
> http://www.openssl.org/docs/ssl/SSL_CTX_use_certificate.html#
> My file is sorted starting with the server cert and going up to the
> root cert. I am not calling SSL_CTX_load_verify_locations()
> within my server because I'm not expecting client certs and the help
> docs do not indicate this is required.
Hmm, I have problems reproducing your problem. Please do the following:
openssl s_client -connect serv01.aet.tu-cottbus.de:imaps
You should see the complete certificate chain sent by the server.
I do use the SSL_CTX_use_certificate_chain_file() (patch for UofW imap-2000a)
and imap-2000a does not support CAs at all.
Best regards,
Lutz
PS. I use it this way myself and only after using and testing it myself
I wrote manual page :-)
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
