>From: owner-openssl-us...@openssl.org On Behalf Of Ben White >Sent: Friday, 07 September, 2012 13:01
><snip>using gSOAP with openssl<snip> >Everything works fine on my build system (Fedora 17 x64), but >when I run the cross compiled version on my target device >(ARM/Montavista 5), I get the following error: >error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >I have run the following command on both (the IP address is google.com): >openssl s_client -showcerts -connect 173.194.67.104:443 -verify 9 >The outputs on the different machines are listed below. I am >running openssl 1.0.1c in both cases. In particular the target >(ARM) system seems to receive/interpret a different certificate chain. No, look at your output: the certificate chain is identical. What differs is the result of verification against each system's truststore, which is the set of CA (root) certs it trusts. Since you didn't specify -CAfile or -CAdir on s_client, it's using (whatever is in) the default truststore, which can be set by environment variables SSL_CERT_FILE/DIR and otherwise defaults to a file or subdirectory in OPENSSLDIR which is set at build time. If you installed openssl on your dev system (Fedora) as a package, that package may have installed some well-known CA certs in your default store, or you may have installed some other package that does so (I've heard curl does, and I think there are others). Or if this system is shared, someone else did. If your app is calling SSL_CTX_set_default_verify_paths it is defaulting similarly. For your target system you might first check whether there is a package that includes, or adds, well-known CA certs. If this is not the same package or packager as openssl, be sure they agree on the location of OPENSSLDIR. To do it yourself you should either put whatever CA certs you decide are trusted -- or someone else you trust has decided are trusted, such as Microsoft (Windows/IE) or Oracle (Java) -- in its default truststore, if that is a location you can write. Or, change your app to call SSL_CTX_set_verify_locations specifying your own file and/or directory into which you similarly put whatever CA certs you decide are trusted. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
