.cer certificate file
Hi. I have to write client for some system that is written by other people, apparently it uses SSL ;) I can normally establish SSL connection and receive appropriate response, but problem is that they sent us their certificate file that we should use, named "users.cer" (single file). I googled and loked at various tutorials, but they all involve generating private key, making certificate out of it, ending it for signing etc. No cer file usage decribed anywhere. How do I add .cer certificate usage to standart connection with SSL? A code sample 'd be appreciated ;) __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: openssl, c-kermit and IBM information exchange
Your questions are really specific to C-Kermit so I suggest you use the comp.protocols.kermit.misc newsgroup in the future. I would suggest you follow the troubleshooting guidelines on the page http://www.kermit-project.org/ibm_ie.html as well as use the provided ibm_infoexchange script ftp://kermit.columbia.edu/kermit/scripts/ckermit/ibm_infoexchange to debug the TLS connection you want to turn on SET AUTH TLS VERBOSE ON SET AUTH TLS DEBUG ON Then you will see where in the TLS exchange the connection is being lost. 99% chance the reason you are losing is there is a firewall between you and IBM which does not permitted secure FTP sessions. Jeffrey Altman Kermit 95 Author Secure Endpoints Inc Vasseur, Peter wrote: Hello. I am trying to make a secure FTP connection to IBM Information Exchange from my UNIX machine. I am using C-Kermit 8.0.211, which I compiled for use with openssl on Solaris9 with gcc 3.3. I used openssl to convert the IBM certificates that I was assigned in PKCS#12 format to PEM format for use with c-kermit and openssl, with the following command. openssl pkcs12 -in pkcs#12_filename -out pem_filename As best as I can tell I have followed everything in the c-kermit documentation, as well as the IBM information exchange web site. however when I connect to the site I am asked for the PEM certificate passphrase both under TLS authentication. I correctly enter the passphrase I gave he PEM certificate (and KEY) and it accepts it, however it waits for approximately five minutes before it comes back again with an SSL/TLS connect COMMAND error (see below) and I have to re-enter the passphrase and wait five minutes until it times out again. Here is a transcript of what I get Connected to ieftpint2.services.ibm.com. TLS accepted as authentication type Enter certificate passphrase: ftp: SSL/TLS connect COMMAND error: error::lib(0):func(0):reason(0) TLS authentication failed Connected to ieftpint2.services.ibm.com. SSL accepted as authentication type Enter certificate passphrase: ftp: SSL/TLS connect COMMAND error: error::lib(0):func(0):reason(0) SSL authentication failed Connected to ieftpint2.services.ibm.com. USER command not allowed on insecure connection - use AUTH command. FTP login failed. C-Kermit 8.0.211, 10 Apr 2004, for Solaris 9 Copyright (C) 1985, 2004, Trustees of Columbia University in the City of New York. Type ? or HELP for help. I looked in the archives for this list, since I am a newbie, to not have to bother you, but the results for a search on ftp: SSL/TLS connect COMMAND error: error::lib(0):func(0):reason(0) did not help me find the answer. I have an IBM technical person working on this, but they had no clue what this was about --- but he would get right back to me.. Any advice you can provide will be greatly appreciated. Peter smime.p7s Description: S/MIME Cryptographic Signature
openssl, c-kermit and IBM information exchange
Title: Message Hello. I am trying to make a secure FTP connection to IBM Information Exchange from my UNIX machine. I am using C-Kermit 8.0.211, which I compiled for use with openssl on Solaris9 with gcc 3.3. I used openssl to convert the IBM certificates that I was assigned in PKCS#12 format to PEM format for use with c-kermit and openssl, with the following command. openssl pkcs12 -in pkcs#12_filename -out pem_filename As best as I can tell I have followed everything in the c-kermit documentation, as well as the IBM information exchange web site. however when I connect to the site I am asked for the PEM certificate passphrase both under TLS authentication. I correctly enter the passphrase I gave he PEM certificate (and KEY) and it accepts it, however it waits for approximately five minutes before it comes back again with an SSL/TLS connect COMMAND error (see below) and I have to re-enter the passphrase and wait five minutes until it times out again. Here is a transcript of what I get Connected to ieftpint2.services.ibm.com.TLS accepted as authentication typeEnter certificate passphrase: ftp: SSL/TLS connect COMMAND error: error::lib(0):func(0):reason(0)TLS authentication failedConnected to ieftpint2.services.ibm.com.SSL accepted as authentication typeEnter certificate passphrase: ftp: SSL/TLS connect COMMAND error: error::lib(0):func(0):reason(0)SSL authentication failedConnected to ieftpint2.services.ibm.com.USER command not allowed on insecure connection - use AUTH command.FTP login failed.C-Kermit 8.0.211, 10 Apr 2004, for Solaris 9 Copyright (C) 1985, 2004, Trustees of Columbia University in the City of New York.Type ? or HELP for help. I looked in the archives for this list, since I am a newbie, to not have to bother you, but the results for a search on ftp: SSL/TLS connect COMMAND error: error::lib(0):func(0):reason(0) did not help me find the answer. I have an IBM technical person working on this, but they had no clue what this was about --- but he would get right back to me.. Any advice you can provide will be greatly appreciated. Peter
Re: Where are the reason codes?
On Tue, Apr 27, 2004, Dennis Putnam wrote: > Only from mod_ssl telling me authentication failed and OpenSSL library > errors follow. > Hmmm, still sounds like it doesn't like the certificate or key file. What happens when you try: openssl s_server -cert cert.pem -key key.pem -www Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
Only from mod_ssl telling me authentication failed and OpenSSL library errors follow. On Apr 27, 2004, at 1:34 PM, Dr. Stephen Henson wrote: Do you get any errors before that one? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
On Tue, Apr 27, 2004, Dennis Putnam wrote: > I appreciate you taking the time to help. There's good news and bad > news. > > openssl gave me an error reading the cert so I replaced that copy with > a new one. When I reran openssl it dumped out a lot of stuff, mostly > meaningless to me, but I believe it is OK now (good news). So I tried > to reenable SSL on Apache and restart it. It still will not start but > the error is different (bad news). Now I get: > > [Tue Apr 27 13:16:49 2004] [error] OpenSSL: error:0D07207B:asn1 > encoding routines:ASN1_get_object:header too long > > Do you get any errors before that one? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
I appreciate you taking the time to help. There's good news and bad news. openssl gave me an error reading the cert so I replaced that copy with a new one. When I reran openssl it dumped out a lot of stuff, mostly meaningless to me, but I believe it is OK now (good news). So I tried to reenable SSL on Apache and restart it. It still will not start but the error is different (bad news). Now I get: [Tue Apr 27 13:16:49 2004] [error] OpenSSL: error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long On Apr 27, 2004, at 12:51 PM, Dr. Stephen Henson wrote: Hmmm. Maybe an invalid certificate file? Some CAs send out PKCS#7 structures that look like certificates. What does: openssl x509 -in cert.pem -text where "cert.pem" is wherever you placed the certificate. show? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Windows fd/socket problem with BIO: solved !
> It's good. I have found a solution on msdn. I have to > duplicate the socket handler ; > > DuplicateHandle(GetCurrentProcess(),(HANDLE)ctrl, > GetCurrentProcess(),(HANDLE*)&ctrl_dup, > 0, TRUE, /* inherit socket */ > DUPLICATE_SAME_ACCESS); > > Then put ctrl_dup on cmd_line args for > CreateProcess(); > > This value is retrieved easily parsing new process > args. The retrieved handle could correctly be used as > a socket with BIO_new_socket() and so on. > > I hope this could help somebody oneday. It is an API violation to duplicate a socket via 'DuplicateHandle'. That only duplicates the handle and could cause major problems by failing to duplicate other structures associated with the socket but not the handle. You should change your code immediately to use *socket* duplication functions like 'WSADuplicateSocket'. Your code *will* break code that relies upon such socket data structures. DS __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
On Tue, Apr 27, 2004, Dennis Putnam wrote: > It occurs when httpd starts which won't let it run. I have to disable > SSL to bring it up. > Hmmm. Maybe an invalid certificate file? Some CAs send out PKCS#7 structures that look like certificates. What does: openssl x509 -in cert.pem -text where "cert.pem" is wherever you placed the certificate. show? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
It occurs when httpd starts which won't let it run. I have to disable SSL to bring it up. On Apr 27, 2004, at 12:37 PM, Dr. Stephen Henson wrote: Under what conditions do you get that error? Is it when you startup, when you get an incoming connection and have you enabled client authentication? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
On Tue, Apr 27, 2004, Dennis Putnam wrote: > > On Apr 27, 2004, at 12:13 PM, Dr. Stephen Henson wrote: > > > > >In this case you get: > > > >error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag > >error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 > >error > > > Thanks. I guess the next stop is Apache. Under what conditions do you get that error? Is it when you startup, when you get an incoming connection and have you enabled client authentication? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problems with d2i_PKCS8PrivateKey_bio function
On Tue, Apr 27, 2004, Carlos Roberto Zainos H wrote: > Hi Dr Henson and openssl users list. > > I'm very thankful by your answers. > > This time I'm having problems with the d2i_PKCS8PrivateKey_bio function. This always > returns me 0 , and really I don't know what's wrong. > My code: > RSA *rsa; > EVP_PKEY *dec_key, **x=NULL; > BIO *in=NULL; > char *password = "am01key"; > char *priv_key_der = "llaveAMp5.key";/*PBE privkey file */ > int i,size_llave=0; > > OpenSSL_add_all_algorithms(); > ERR_load_crypto_strings(); > > in=BIO_new(BIO_s_file()); > if (in==NULL) /*not problem */ > { > /* Error code*/ > } > > if (BIO_read_filename(in,priv_key_der) <= 0) /*not problem*/ > { > /*Error Code*/ > } > > /*dec_key=EVP_PKEY_new(); comment this because I thought could be the problem*/ > dec_key=d2i_PKCS8PrivateKey_bio(in, x, NULL,password); > if (dec_key=NULL) /*also not problem*/ > { > /*Error code */ > } > > size_llave=EVP_PKEY_size(dec_key); /*result of this function is always 0 */ > printf("%d\n", size_llave); /*prints zero 0 */ > > rsa=RSA_new(); > rsa=EVP_PKEY_get1_RSA(dec_key); /*this function breaks because dec_key is 0 size > bytes, right ? */ > > With all my test keys the results are the same (privkeyp5.key, > privkeyp8.key, privkey_der.key). Is there some type of bug ? Or this is > caused by my C code?? > Yep its your C code. That line: if (dec_key=NULL) will *set* dec to NULL which will cause the problems later on. You should do: if (dec_key == NULL) Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
Thanks. I guess the next stop is Apache. On Apr 27, 2004, at 12:13 PM, Dr. Stephen Henson wrote: Apache not printing out human readable error strings is a bad thing(TM). You can convert error codes by doing: openssl errstr X Where is the string of hex digits after "error:". In this case you get: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error which suggests something invalid is sent to the ASN1 parser. Apache should also be printing out the error data but it apparently isn't. Without that its impossible to see what structure the ASN1 code is complaining about. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
Thanks for the reply but I don't understand what you are saying. This is in the system log from Apache mod_ssl. On Apr 27, 2004, at 12:06 PM, Miller,Aaron wrote: Did you call ERR_load_crypto_strings ()? Without it, you won't get the descriptive text. Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Where are the reason codes?
On Tue, Apr 27, 2004, Dennis Putnam wrote: > I am having a problem with Apache's mod_ssl. It is getting an error > from OpenSSL but the message is useless without an error code > reference. I cannot find any error codes at the OpenSSL web site or > anywhere else for that matter. Can someone point me to a place to find > what these error messages mean? TIA. > > [Tue Apr 27 08:22:34 2004] [error] OpenSSL: > error:0D0680A8:lib(13):func(104):reason(168) > [Tue Apr 27 08:22:34 2004] [error] OpenSSL: > error:0D07803A:lib(13):func(120):reason(58) > > Apache not printing out human readable error strings is a bad thing(TM). You can convert error codes by doing: openssl errstr X Where is the string of hex digits after "error:". In this case you get: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error which suggests something invalid is sent to the ASN1 parser. Apache should also be printing out the error data but it apparently isn't. Without that its impossible to see what structure the ASN1 code is complaining about. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Where are the reason codes?
Did you call ERR_load_crypto_strings ()? Without it, you won't get the descriptive text. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Putnam Sent: Tuesday, April 27, 2004 10:27 AM To: [EMAIL PROTECTED] Subject: Where are the reason codes? I am having a problem with Apache's mod_ssl. It is getting an error from OpenSSL but the message is useless without an error code reference. I cannot find any error codes at the OpenSSL web site or anywhere else for that matter. Can someone point me to a place to find what these error messages mean? TIA. [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D0680A8:lib(13):func(104):reason(168) [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D07803A:lib(13):func(120):reason(58) Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] CONFIDENTIALITY NOTICE This message and any included attachments are from Cerner Corporation and are intended only for the addressee. The information contained in this message is confidential and may constitute inside or non-public information under international, federal, or state securities laws. Unauthorized forwarding, printing, copying, distribution, or use of such information is strictly prohibited and may be unlawful. If you are not the addressee, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Cerner's corporate offices in Kansas City, Missouri, U.S.A at (+1) (816)221-1024. -- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Where are the reason codes?
I am having a problem with Apache's mod_ssl. It is getting an error from OpenSSL but the message is useless without an error code reference. I cannot find any error codes at the OpenSSL web site or anywhere else for that matter. Can someone point me to a place to find what these error messages mean? TIA. [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D0680A8:lib(13):func(104):reason(168) [Tue Apr 27 08:22:34 2004] [error] OpenSSL: error:0D07803A:lib(13):func(120):reason(58) Dennis Putnam Information Technology AIM Systems, Inc. 11675 Rainwater Dr. Alpharetta, GA 30004 678-297-0700 __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Problems with d2i_PKCS8PrivateKey_bio function
Hi Dr Henson and openssl users list. I'm very thankful by your answers. This time I'm having problems with the d2i_PKCS8PrivateKey_bio function. This always returns me 0 , and really I don't know what's wrong. My code: RSA *rsa;EVP_PKEY *dec_key, **x=NULL; BIO *in=NULL; char *password = "am01key";char *priv_key_der = "llaveAMp5.key";/*PBE privkey file */ int i,size_llave=0; OpenSSL_add_all_algorithms();ERR_load_crypto_strings(); in=BIO_new(BIO_s_file());if (in==NULL) /*not problem */ { /* Error code*/ } if (BIO_read_filename(in,priv_key_der) <= 0) /*not problem*/ { /*Error Code*/ } /*dec_key=EVP_PKEY_new(); comment this because I thought could be the problem*/dec_key=d2i_PKCS8PrivateKey_bio(in, x, NULL,password);if (dec_key=NULL) /*also not problem*/ { /*Error code */ } size_llave=EVP_PKEY_size(dec_key); /*result of this function is always 0 */ printf("%d\n", size_llave); /*prints zero 0 */ rsa=RSA_new();rsa=EVP_PKEY_get1_RSA(dec_key); /*this function breaks because dec_key is 0 size bytes, right ? */ With all my test keys the results are the same (privkeyp5.key, privkeyp8.key, privkey_der.key). Is there some type of bug ? Or this is caused by my C code?? I'm a little desperate. Thanks again in advance ZainosDo You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes.
Re: Add a new signer to a PKCS#7
Hello! "Dr. Stephen Henson" wrote: > On Fri, Apr 23, 2004, Antonio Ruiz Martínez wrote: > > > Hello! > > > > I'm trying to add a new signer to a PKCS#7 that I receive from > > another person. In first term, I'm decoding the PKCS#7 and then I'm > > trying to using my private key and my cert to sign the content of this > > PKCS#7 and insert my signature in this PKCS#7 in order to get the PKCS#7 > > with the two signatures. The problem is that, when I'm verifying the > > PKCS#7 obtained, with this code, the first signature is invalid and the > > second one is valid (the first signature's signer). > > > > I have parsed the result and I think the problem is the length of the > > signature is 0. > > > > There isn't any way to do this cleanly with the current API. Ideally adding a > new signer should take the digest from the existing signer and add it to the > new signer data however this isn't supported at present. > > The best you can do is to create a new PKCS#7 structure by signing the same > content then merge the two manually by modifying the PKCS7 structure > internals. > Ok. That's works. Thanks a lot. Regards, Antonio. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL_CTX_use_certificate_chain_file()
On Mon, Apr 26, 2004, Joseph Bruni wrote: > The man page for "SSL_CTX_use_certificate_chain_file" states: > > SSL_CTX_use_certificate_chain_file() loads a certificate chain from > file into ctx. The certificates must be in PEM format and must be > sorted starting with the certificate to the highest level (root CA). > There is no corresponding function working on a single SSL object. > > My PKI hierarchy consists of three layers, a self-signed root CA that > is owned by the corporate security group, a sub-CA that is responsible > for distributing end-user certificates, and end users who receive > certificates from the sub-CA. > > The server certificate is issued by the root CA. > > User certificates are issued by the sub-CA. > > The root certificate is loaded into the CTX using > SSL_CTX_load_verify_locations() on both client and server applications. > > Now comes the question: > > o If I build a certificate chain file as described in the man page > with all three certificates (user,sub-CA,root-CA), handshake fails. > > o If a build a certificate chain file with only two certificates > (user,sub-CA), handshake succeeds. > > Why? Is this a bug? Or is there something more subtle going on? What handshake error and specifically the verify error do you get server side? If its an error stating it cannot load an issuer certificate then you need to include the sub-CA on the client side either by placing it in the location of SSL_CTX_load_verify_locations() or using SSL_CTX_use_chain_file(). If the error says something about invalid purposes then you need to use -signCA (or equivalent) to create the sub-CA. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]