Try commenting out the next line:
if (sk_X509_num(ctx->chain) == 1)
The following code block checks for an exact match of the EE certificate, but
it is currently only performed if there is only one certificate in the chain.
Commenting out that lnie means it tries to match unconditionally.
Since there is an else branch to the if clause, I changed the code to
if (1 || sk_X509_num(ctx->chain) == 1)
instead of removing the check so that the if branch is always taken.
Case1 : % openssl verify -partial_chain -CApath /etc/openssl/certs
lc-sfbay-02.pem
This command was not affected by the change since "if
(ctx->check_issued(ctx, x, x))", one line
above the changed code, returned 0, and it didn't even get to the
changed code.
Case 2: %openssl s_client -connect lc-sfbay-02:636 -verify 9
-partial_chain -CApath /etc/openssl/certs
With this code, the if branch is taken and it now calls
X509_STORE_CTX_get1_issuer().
However, X509_STORE_CTX_get1_issuer() returns failure. When I
traced the call, it trys to open
c0ff1f52.0 which is root CA's certificate.
I tried supplying "-CAfile", but that didn't change any thing.
% openssl s_client -connect lc-sfbay-02:636 -verify 9
-partial_chain -CAfile lc-sfbay-02.pem -CApath /etc/openssl/certs
Any idea what's going wrong?
Thank you
-- misaki
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org