Hi, The only thing I see in your code is that, inside the while block, you are not setting the CA variable to the next element of the list Gl_listeCA. Thus, at the second loop you will always get an error when calling X509_STORE_add_cert because CA->x509 is pointing to the same certificate as in the previous loop. Can you confirm that the code is really like this? Does the working application have the same code?
Cheers, -- Mounir IDRASSI IDRIX http://www.idrix.fr On Thu, May 29, 2008 8:24 pm, Francis GASCHET wrote: > Sorry for the double ;-) > Hello, > > > I getting crazy ! > In one application I insert CA certificates and CRLs in the X509_STORE. > This store is included in the SSL_CTX. No problem. The certificate > verification process during handshake runs like a charm. > > In a second application, I create an X509_STORE and try to insert my CA > certificates and CRL lists and right at the FIRST insertion of a CA I get > : > error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert > already in hash table > > It is not possible : the store is empty ! > > I tried even to create a dummy SSL_CTX and use its store like I do in > the other application (I imagined that the SSL_CTX creation may be made > some initialisation in the store...) : same result. > i.e. : the same code runs smoothly in one application and not in the > second one ! > > I compared the compilation environment (command parameters, includes) > and didn't find any significant difference, except that the second > application is compiled with the option "-D_FILE_OFFSET_BITS=64". Could > it be the cause of my misery ??? > > Hereafter is the code : > > > #include <openssl/ssl.h> > > if ( (G_store = X509_STORE_new()) == NULL){ > trace_s(O_UTL, 0, LV_ERR, "Erreur à l'allocation du X509_STORE > pour CAs et CRLs."); > return(-1); > } > CA = Gl_listeCA; > while (CA != NULL){ > if (!(err = X509_STORE_add_cert(G_store, CA->x509))) { > trace_si(O_UTL, 0, LV_ERR, "Erreur à l'insertion d'un > certificat dans le STORE.CA N° :", CA->num); > X509_NAME_oneline(X509_get_subject_name(CA->x509), bid, > sizeof(bid)-1); > trace_ss(O_UTL, 0, LV_ERR, " Sujet :", bid); > X509_NAME_oneline(X509_get_issuer_name(CA->x509), bid, > sizeof(bid)-1); > trace_ss(O_UTL, 0, LV_ERR, " Sujet :", bid); > trace_si(O_UTL, 0, LV_ERR, "Erreur :", err); > err = ERR_get_error(); > trace_ss(O_UTL, 0, LV_ERR, " ", ERR_error_string(err, > NULL)); > flush_trace(); > } > } > > The "CA" is a structure containing the certificate in 2 formats : DER > and the internal X509 structure and some other informations. Gl_listeCA > is a global chained list of these structures. It's the same architecture > in the running application. > The X509 looks correct : the subject and the issuer are extracted > without any problem in order to print details on the error. > > Compilation parameters : > gcc -c -g -ggdb -D_FILE_OFFSET_BITS=64 -Wno-comment -Wno-unused -ansi > -D_BSD_SOURCE -D_XOPEN_SOURCE -Dunix > > Both applications are linked with libcrypto and libssl 0.9.8 > > Thanks in advance for any clue ! > > -- > Francis GASCHET / NUMLOG > http://www.numlog.fr > Tel.: +33 (0) 130 791 616 > Fax.: +33 (0) 130 819 286 > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
