Hi Jan,
The problem is due to the mis-matched version between openssl library (used by
application) and openssl executable. Basically the CA/Intermediate CA
certificate hash is calculated different between two versions.
Thank you for your help!
Bob
-----Original Message-----
From: openssl-users [mailto:[email protected]] On Behalf Of Jan
Just Keijser
Sent: Wednesday, February 03, 2016 8:17 AM
To: [email protected]
Subject: Re: [openssl-users] Certificate verification failure
Yan, Bob wrote:
> Thanks Jan,
>
> When I am using the CApath, I do have the symbolic hash link (with ".0" at
> the end hash) linked to my ca-root.pem certificate file and
> ca-intermediate.pem certificate. Any other issues which could cause this
> issue?
>
what happens if you run
openssl verify -CApath <dir> client.crt
? is that certificate correctly verified?
HTH,
JJK
> -----Original Message-----
> From: openssl-users [mailto:[email protected]] On
> Behalf Of Jan Just Keijser
> Sent: Monday, February 01, 2016 1:04 AM
> To: [email protected]
> Subject: Re: [openssl-users] Certificate verification failure
>
> Yan, Bob wrote:
>
>> Dear Sir/Madam,
>>
>> I have an application which acting as SSL server. When the
>> application loads the root and intermediate CA files from a CA path,
>> the handshake between my application and openssl client was failed at
>> the point when my application was authenticating the client's
>> certificate. But when I bound the root CA and intermediate CA into a
>> single pem file and reload it from my application, the handshake is
>> successful. Could anybody help me resolve this issue? Below is the
>> sample of my application code for loading the CA certificates:
>>
>> if (SSL_CTX_load_verify_locations(ctx, caFile, caPath) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_use_certificate_chain_file(ctx, certFile) != 1) {
>>
>> exit;
>>
>> }
>>
>> if (SSL_CTX_use_PrivateKey_file(ctx, keyFile, SSL_FILETYPE_PEM) != 1)
>> {
>>
>> exit;
>>
>> }
>>
>> SSL_CTX_set_verify_depth(ctx, chainDepths);
>>
>> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER |
>> SSL_VERIFY_FAIL_IF_NO_PEER_CERT, callback);
>>
>> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>>
>>
>
> when you're using CA path , what are the contents of this CA path directory?
> In it you should have placed the root and intermediate CA files using special
> names. Instead of using "ca.pem" you need to have a file "<hash>.0" , where
> <hash> is the output of "openssl x509 -hash -noout -in ca.pem" (and similarly
> for the intermediate CA file).
>
> JJK
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
