Hi, Let me start with a disclaimer that i am not very experienced with openssl.
I have a requirement. In an enterprise all clients and servers communicate over ssl. the certs in client and server are self signed. There is one client application which talks to 100+ different services. Currently the peer verification is done using a single file containing all those self signed certs on client side. if (!SSL_CTX_load_verify_locations(context, trusted_certs_filename, NULL)) fprintf(stderr,"SSL_CTX_load_verify_locations failed (file:%s)", _trusted_ca_certs_filename.chars()); // client always receives a certificate from the server, and if that // certificate fails to verify, the handshake will be terminated SSL_CTX_set_verify(context, SSL_VERIFY_PEER, NULL); As the pem file in question contains 100+ certs, ssl context initialization takes a while. My task is to migrate that to using CA Path.I have a solution but also want to build a fall back mechanism I want to fallback on initializing the context with the pem file in case the cert verification fails with CA Path. At high level i see following to be done - on client handle the reason code SSL_R_CERTIFICATE_VERIFY_FAILED from SSL_connect - on server handle the reason code SSL_R_TLSV1_ALERT_UNKNOWN_CA from SSL_accept - change the ssl context to have pem file as verified certs on client side. - renegotiate ssl handshake over the same socket Does anybody of the users know of such implementation or its feasibility? Please help me to give some ways to solve this issue Regards, banro21
