On Mon, Mar 29, 2010, Lia Ipe wrote: > Hi, > > > I couldn't find sufficient information on this from the online openssl man > pages, or in any of the discussion forums, so Iwas hoping someone here > would be able to clarify. > > > > I am using openssl as part of my application for verifying certificates sent > by the server. However, when the server switched to using verisign > intermediate certificates instead of root certificates, The application > returned openssl verify error X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN and > failed to establish connection. > > > > I understand that this is because the root ca cannot be found as part of the > certificate chain. > > > > My Question is: > > > > Does openssl currently support the addition of intermediate certificates to > the trusted certificate store of an ssl_ctx object? If so, how can this be > done? > > > > I have read that this was a limitation earlier. Will this solve my problem > as the server does not provide the necessary root ca in the chain? >
Actually getting that error (as opposed to couldn't get local issuer certificate) implies the server *is* sending the root CA in the chain. The intermediate isn't the issue here: it looks like there is a different root involved. Once you add that root it should verify just fine. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
