Yan, Bob wrote:
Dear Sir/Madam,
I have an application which acting as SSL server. When the application
loads the root and intermediate CA files from a CA path, the handshake
between my application and openssl client was failed at the point when
my application was authenticating the client’s certificate. But when I
bound the root CA and intermediate CA into a single pem file and
reload it from my application, the handshake is successful. Could
anybody help me resolve this issue? Below is the sample of my
application code for loading the CA certificates:
if (SSL_CTX_load_verify_locations(ctx, caFile, caPath) != 1) {
exit;
}
if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
exit;
}
if (SSL_CTX_use_certificate_chain_file(ctx, certFile) != 1) {
exit;
}
if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) != 1) {
exit;
}
SSL_CTX_set_verify_depth(ctx, chainDepths);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);
SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
when you're using CA path , what are the contents of this CA path
directory? In it you should have placed the root and intermediate CA
files using special names. Instead of using "ca.pem" you need to have a
file "<hash>.0" , where <hash> is the output of "openssl x509 -hash
-noout -in ca.pem" (and similarly for the intermediate CA file).
JJK
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
