[openssl-users] Certificate chain validation

[Lei Kong]

https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_use_certificate.html
https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_add_extra_chain_cert.html

The linked documents didn’t say the APIs must be called on *client* side, and it works fine in my code on both client and server side.
I am under the impression that there is no asymmetry in terms of *sending* side chain building for client and server side, what you said below means client side always sends *partial* chain to server side?

Thanks.

From: Salz, Rich via openssl-users<mailto:openssl-users at openssl.org>
Sent: Friday, April 21, 2017 3:37 PM
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: Re: [openssl-users] Certificate chain validation

You are asking two different questions.

The certificates that the *client* sends are specified by the various “use certficiate” API’s.  No chain is built.  See doc/man3/SSL_CTX_use_certificate.pod, especially the “use certificate chain file” API.

As for what the *server* does, it tries to use what the client sends and build a chain up to one of the certificates that is in the local, server, trust store.

The API’s are a bit different for 1.0.2 than for 1.1.0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170422/fbc6ddf6/attachment.html>