I have an application (server) that is working using SSLv23 with a
regular certificate. Now I have to use one chain of two intermediate
certificates but for any reason, openssl library is not sending the
chain and the only way to work correctly is when I inform to the
client side about the intermediate.
If I am understanding correctly, as long as the client trust in the
last certificate, it will trust on all intermediate.
Below is a result using the command "openssl s_client ...".
The client has only the Equifax root certificate; all other GeoTrust
are intermediate. The file cacerts.pem in the command below has the
two intermediate informed to force the command to succeed but in the
real case, I don't have such information at client side.
Because the client trust the connection when I inform the
intermediate, I suppose the server is not sending the intermediate,
only the first certificate in the chain and in this case the command
fail.
$ openssl s_client -connect 10.10.10.10:443 -verify 5 -state -CAfile cacerts.pem
verify depth is 5
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify return:1
depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
verify return:1
depth=0 /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
CONNECTED(00000003)
---
Certificate chain
0 s:/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---
Server certificate
-----BEGIN CERTIFICATE-----
(the server certificate)
-----END CERTIFICATE-----
subject=/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
Lake/O=ACME, INC/CN=www.acme.com
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1539 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 5FB55650BEEAE091441A5CEF4047A0243EE9D57AE8F0485CC1F951E2E97CAE06
Session-ID-ctx:
Master-Key:
06B036B9D47B297D2086CB6370108BB60102CD0FD7649F92351E15324D96E8614C566BF9040296177E2BDCA0A189472C
Key-Arg : None
Start Time: 1369178367
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
read:errno=0
SSL3 alert write:warning:close notify
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
