Question about SSL_CTX_load_verify_locations()
Hi, I am using "SSL_CTX_load_verify_locations(ssl_ctx, NULL, CApath)" function to load the CA certificates from the "CApath" directory. Since the certificates in CApath are only looked up when required, my questions is that, is any openssl function can be used to load all trusted CA certificates from CApath before performing the verification of a peer certificate? Thanks Bob __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Question about SSL_CTX_load_verify_locations
You need to SSL_CTX_new() before using the context with SSL_CTX_load_verify_locations(). --- "Paul E. Bible" <[EMAIL PROTECTED]> wrote: > Hi there, > > I'm currently working on an application that uses SSL for its Internet > communications. In this applications, I am verifying the certificates > being used, which requires that I execute the > SSL_CTX_load_verify_locations() method as shown below: > > #define CAFILE"root.pem" > #define CADIR NULL > #define CERTFILE "server.pem" > > SSL_CTX *setup_server_ctx() > { > SSL_CTX *ctx; > > *if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) > int_error("Error loading CA file and/or directory")*; > if (SSL_CTX_set_default_verify_paths(ctx) != 1) > int_error("Error loading default CA file and/or directory"); > ctx = SSL_CTX_new(SSLv3_method()); > if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1) > int_error("Error loading certificate from file"); > if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1) > int_error("Error loading private key from file"); > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, >verify_callback); > SSL_CTX_set_verify_depth(ctx, 4); > > return ctx; > } > > > Unfortunately, when the program executes the SSL_CTX_load_verify_locations() method, >a > Segmentation Fault is signaled. I have ensured that both the root.pem and server.pem > certificates exist and they appear to be valid (i.e., I can view them using the >openssl > command line program). > > My environment is Redhat Linux v7.3 with OpenSSL 0.9.6b-28. > > Any thoughts and/or suggestions?!?! > > Thank you in advance, > Paul > > > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Question about SSL_CTX_load_verify_locations
Hi there, I'm currently working on an application that uses SSL for its Internet communications. In this applications, I am verifying the certificates being used, which requires that I execute the SSL_CTX_load_verify_locations() method as shown below: #define CAFILE "root.pem" #define CADIR NULL #define CERTFILE"server.pem" SSL_CTX *setup_server_ctx() { SSL_CTX *ctx; *if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) int_error("Error loading CA file and/or directory")*; if (SSL_CTX_set_default_verify_paths(ctx) != 1) int_error("Error loading default CA file and/or directory"); ctx = SSL_CTX_new(SSLv3_method()); if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1) int_error("Error loading certificate from file"); if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1) int_error("Error loading private key from file"); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); SSL_CTX_set_verify_depth(ctx, 4); return ctx; } Unfortunately, when the program executes the SSL_CTX_load_verify_locations() method, a Segmentation Fault is signaled. I have ensured that both the root.pem and server.pem certificates exist and they appear to be valid (i.e., I can view them using the openssl command line program). My environment is Redhat Linux v7.3 with OpenSSL 0.9.6b-28. Any thoughts and/or suggestions?!?! Thank you in advance, Paul __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]