Re: [openssl-users] Load secrets to context.
>> Scenario 1 - Failing case >> >> SSL_CTX_use_certificate_file() : Loaded cert_file >> SSL_CTX_use_certificate_chain_file() : Loaded chain_file > > Doing this makes no sense. If you're loading the complete chain > file, there's no reason to first load just the certificate. > > Just use SSL_CTX_use_certificate_chain_file(3), debugging incorrect > usage is not a good use of time. The best I can tell, its not an correct configuration. The NOTES section says SSL_CTX_use_certificate_chain_file should be preferred, but its not forbidden. Confer, https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html . Perhaps its best to address the problem rather than attacking the user. Its OK to disregard the feedback you are getting, but please don't attack the users. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
On Wed, Jul 27, 2016 at 10:25:42PM +0530, john gloster wrote: > Scenario 1 - Failing case > > SSL_CTX_use_certificate_file() : Loaded cert_file > SSL_CTX_use_certificate_chain_file() : Loaded chain_file Doing this makes no sense. If you're loading the complete chain file, there's no reason to first load just the certificate. Just use SSL_CTX_use_certificate_chain_file(3), debugging incorrect usage is not a good use of time. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
On Wed, Jul 27, 2016, john gloster wrote: > Thanks Victor. > > Could you explain the reason in below cases? These are in cases when we use > both the APIs as mentioned above. > > cert_file : Server's certifcate > chain_file: Complete certificate chain; starting with Server's certifcate, > followed by intermediate CA certificate and ending with Root CA certificate > > > Scenario 1 - Failing case > > SSL_CTX_use_certificate_file() : Loaded cert_file > SSL_CTX_use_certificate_chain_file() : Loaded chain_file > > Test: When tried to connect to the server, only Server's certificate and > Root CA certificate were presented in the CERTIFICATE message of the > handshake; intermediate CA certificates were missing. > > Do you get an error from either function? Do you get the same behaviour if you omit SSL_CTX_use_certificate_chain_file()? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
Thanks Victor. Could you explain the reason in below cases? These are in cases when we use both the APIs as mentioned above. cert_file : Server's certifcate chain_file: Complete certificate chain; starting with Server's certifcate, followed by intermediate CA certificate and ending with Root CA certificate Scenario 1 - Failing case SSL_CTX_use_certificate_file() : Loaded cert_file SSL_CTX_use_certificate_chain_file() : Loaded chain_file Test: When tried to connect to the server, only Server's certificate and Root CA certificate were presented in the CERTIFICATE message of the handshake; intermediate CA certificates were missing. Scenario 2 - Successful case SSL_CTX_use_certificate_file() : Loaded chain_file SSL_CTX_use_certificate_chain_file() : Loaded chain_file Test: When tried to connect to the server, complete certificate chain was presented in the CERTIFICATE message of the handshake. On Wed, Jul 27, 2016 at 10:08 PM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote: > > > Can we use both the following APIs in the same application to load > > certificate to the SSL context? > > > > *SSL_CTX_use_certificate_file()* > > *SSL_CTX_use_certificate_chain_file()* > > For any given certificate chain use either one or the other, but > in many cases SSL_CTX_use_certificate_chain_file() is the more > convenient choice. > > > If we can how to use them? > > ERR_clear_error(); > if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) { > /* Handle error */ > } > if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) > { > /* Handle error */ > } > if (!SSL_CTX_check_private_key(ctx)) { > /* Handle error */ > } > /* Success */ > > See the SSL_CTX_use_certificate(3) manpage for a more detailed > description. > > -- > Viktor. > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Load secrets to context.
On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote: > Can we use both the following APIs in the same application to load > certificate to the SSL context? > > *SSL_CTX_use_certificate_file()* > *SSL_CTX_use_certificate_chain_file()* For any given certificate chain use either one or the other, but in many cases SSL_CTX_use_certificate_chain_file() is the more convenient choice. > If we can how to use them? ERR_clear_error(); if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) { /* Handle error */ } if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { /* Handle error */ } if (!SSL_CTX_check_private_key(ctx)) { /* Handle error */ } /* Success */ See the SSL_CTX_use_certificate(3) manpage for a more detailed description. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Load secrets to context.
Hi, Can we use both the following APIs in the same application to load certificate to the SSL context? *SSL_CTX_use_certificate_file()* *SSL_CTX_use_certificate_chain_file()* If we can how to use them? Thanks in advance. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users