In the past, I was not using Intermediate certificate and the code below
works with no problem.
/* Load the CAs we trust*/
if(!(SSL_CTX_load_verify_locations(ctx, *NULL*, CA_PATH)))
berr_exit("Couldn't read CA list/path");
SSL_CTX_set_verify_depth(ctx,*1*);
Now that I have a chain of intermediate certificates, I have to inform
about that in the SSL_CTX_load_verify_locations and it's what I am doing
with the code below.
/* Load the CAs we trust*/
if(!(SSL_CTX_load_verify_locations(ctx, *str_keyfile.data()*, CA_PATH)))
berr_exit("Couldn't read CA list/path");
SSL_CTX_set_verify_depth(ctx,*5*);
Thank you all for the suggestions; all of that helps me to understand the
concept of intermediate certificates and how is the interaction with the
client side.
On Tue, May 21, 2013 at 7:02 PM, Jorge Ventura <
[email protected]> wrote:
> I have an application (server) that is working using SSLv23 with a
> regular certificate. Now I have to use one chain of two intermediate
> certificates but for any reason, openssl library is not sending the
> chain and the only way to work correctly is when I inform to the
> client side about the intermediate.
>
> If I am understanding correctly, as long as the client trust in the
> last certificate, it will trust on all intermediate.
>
> Below is a result using the command "openssl s_client ...".
>
> The client has only the Equifax root certificate; all other GeoTrust
> are intermediate. The file cacerts.pem in the command below has the
> two intermediate informed to force the command to succeed but in the
> real case, I don't have such information at client side.
>
> Because the client trust the connection when I inform the
> intermediate, I suppose the server is not sending the intermediate,
> only the first certificate in the chain and in this case the command
> fail.
>
>
> $ openssl s_client -connect 10.10.10.10:443 -verify 5 -state -CAfile
cacerts.pem
> verify depth is 5
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
> verify return:1
> depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> verify return:1
> depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
> verify return:1
> depth=0
/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
> Lake/O=ACME, INC/CN=www.acme.com
> verify return:1
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> CONNECTED(00000003)
> ---
> Certificate chain
> 0
s:/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
> Lake/O=ACME, INC/CN=www.acme.com
> i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> (the server certificate)
> -----END CERTIFICATE-----
>
subject=/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior
> Lake/O=ACME, INC/CN=www.acme.com
> issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1539 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : AES256-SHA
> Session-ID:
5FB55650BEEAE091441A5CEF4047A0243EE9D57AE8F0485CC1F951E2E97CAE06
> Session-ID-ctx:
> Master-Key:
>
06B036B9D47B297D2086CB6370108BB60102CD0FD7649F92351E15324D96E8614C566BF9040296177E2BDCA0A189472C
> Key-Arg : None
> Start Time: 1369178367
> Timeout : 300 (sec)
> Verify return code: 0 (ok)
> ---
> read:errno=0
> SSL3 alert write:warning:close notify
