On Fri, Aug 06, 2010, Sam Jantz wrote: > To whomever may have an answer, > > I am writing a SSL/TLS proxy server for my work that is multi-threaded. > I recently replaced my OpenSSL version with 1.0.0a from 0.9.8g. In this > application I need to verify the server certificate otherwise all the > security will be bypassed. However, when I use SSL_get_verify_result() I > almost always get an error code "20 unable to get local issuer certificate." > This is almost always at depth 0, and sometimes depth 1. > I am loading the certificate stores from /etc/ssl/certs which contains > the stores that mozilla, chrome, and the like all verify from, but no matter > what I do I can't get a single certificate to verify. > When I revert to OpenSSL 0.9.8g I can successfully verify several > certificates, but I still get the same error code for about half of the > websites I try, and are known to be valid (e.g. www.gmail.com:443). > > This is not just a difference in my program either, in both s_client and > verify from the command line, 0.9.8g will return a X509_V_OK code, and > 1.0.0a will return error 20. I am completely at a loss as to why this is. > I am not so much concerned with getting the command line to work as I am > with my program. I can't post my code because of a non disclosure > agreement, but I will post the steps that I am taking that are relevant to > verify. >
You need to call c_rehash with OpenSSL 1.0.0, the hash algorithm changed and is incompatible with 0.9.8. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
