Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

Mon, 10 Mar 2014 01:14:31 -0700 

As a matter of fact with use of with use of
SSL_CTX_use_certificate_chain_file() API SSL handshake continues to fail
with error "
As you have mentioned Victor, I am using SSL_CTX_use_certificate_file() API
to read cert.pem which contains server certificate & private key.
Now I have another file chain.pem which contains only intermediate
certificates.
To read content of this file I am using
SSL_CTX_use_certificate_chain_file() API.

Below is complete sequence,
SSL_METHOD* meth = SSLv23_server_method();
sslctx = SSL_CTX_new(meth);
SSL_CTX_set_options(sslctx, SSL_OP_NO_SSLv2);

 SSL_CTX_set_cipher_list(sslctx, "HIGH:!DSS:!aNULL:!eNULL@STRENGTH")

 SSL_CTX_use_certificate_file(sslctx, "/tmp/certs.pem", SSL_FILETYPE_PEM);
 SSL_CTX_use_PrivateKey_file(sslctx, "/tmp/certs.pem", SSL_FILETYPE_PEM);
 SSL_CTX_check_private_key(sslctx);
 SSL_CTX_use_certificate_chain_file(sslctx, "/tmp/chain.pem");
 SSL_CTX_load_verify_locations(sslctx, "/tmp/ca.pem", NULL);

With this configuration while server/client does a SSL handshake I get an
error such as  "SSL_write() error - error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher".

Am I missing something here?


On Sun, Mar 9, 2014 at 2:07 AM, Viktor Dukhovni
<openssl-us...@dukhovni.org>wrote:

> On Sat, Mar 08, 2014 at 08:26:54PM +0530, Harshal Talele wrote:
>
> > In my case cert.pem file contains private key too.
> > I wan to understand if I have to be use intermediate certificates in SSL
> > handshake is there any specific way in which we have to populate SSL_CTX
> > structure?
> >
> > I have tried using SSL_CTX_use_certificate_chain_file() API. Is this the
> > right way?
>
> Yes:
>
>     /* XXX: Add robust error handling? :-) */
>     if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0)
>         goto fail;
>     if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
>         goto fail;
>
> --
>         Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>

Reply via email to