To whomever may have an answer, I am writing a SSL/TLS proxy server for my work that is multi-threaded. I recently replaced my OpenSSL version with 1.0.0a from 0.9.8g. In this application I need to verify the server certificate otherwise all the security will be bypassed. However, when I use SSL_get_verify_result() I almost always get an error code "20 unable to get local issuer certificate." This is almost always at depth 0, and sometimes depth 1. I am loading the certificate stores from /etc/ssl/certs which contains the stores that mozilla, chrome, and the like all verify from, but no matter what I do I can't get a single certificate to verify. When I revert to OpenSSL 0.9.8g I can successfully verify several certificates, but I still get the same error code for about half of the websites I try, and are known to be valid (e.g. www.gmail.com:443).
This is not just a difference in my program either, in both s_client and verify from the command line, 0.9.8g will return a X509_V_OK code, and 1.0.0a will return error 20. I am completely at a loss as to why this is. I am not so much concerned with getting the command line to work as I am with my program. I can't post my code because of a non disclosure agreement, but I will post the steps that I am taking that are relevant to verify. Before I create any ssl objects I am setting up the context: if((SSL_CTX_load_verify_locations(_ssl_ctx, NULL, "/etc/ssl/certs/" ))!= 1) cout << "couldn't load verify locations" << endl; if((SSL_CTX_set_default_verify_paths(_ssl_ctx))!=1) cout << "couldn't load defaults" << endl; //This is set to none because if set to PEER no connections can be made because of the invalid cert SSL_CTX_set_verify(_ssl_client_ctx, SSL_VERIFY_NONE, verify_callback); SSL_CTX_set_verify_depth(_ssl_ctx, 9); Verify_callback is defined as this: static int verify_callback(int ok, X509_STORE_CTX* store){ if(!ok){ X509 * cert = X509_STORE_CTX_get_current_cert(store); int depth = X509_STORE_CTX_get_error_depth(store); int err = X509_STORE_CTX_get_error(store); cout << "Error at depth: " << depth<< endl; cout << "Error Text: " << X509_verify_cert_error_string(err) << endl; } return ok; } After this, I read the verification code when I obtain the cert: X509 *server_cert = SSL_get_peer_certificate(server_ssl); if(!server_cert){ //couldn't get certificate, exit here exit(1); } long certValid = SSL_get_verify_result(server_ssl); if(certValid == X509_V_OK) cout << endl << "Certificate is valid" << endl; If you need any more information please let me know and I will post what I can. Thank you in advanced for the help. Thanks, Sam -- Sam Jantz Software Engineer