Hi, We are implementing multi-layer support for our openssl-based PKI solution and had the following query:
Currently our PKI solution supports only single layer CA support and we use SSL_CTX_load_verify_locations API with the CAFile option, meaning that the service loads the CA certificate from a PEM file. When testing multi-layer support between a client-server model with *SSL_VERIFY_PEER *set to true, we observed that using the CAFile(with all CA certificates- root + intermediate concatenated into a single PEM file) does not work anymore. But using CAPath option (storing each CA in separate file, creating hashes for them in a directory and providing that directory in CAPath) seems to work fine. Is this a known bug with openSSL or is it something that we are doing wrong.* * Also, from the openSSL community perspective, is it advisable to use CAFile option or CAPath option when providing multi-layer support? Regds, Ashok
