Establishing connection errors
Jason Schultz
jetson23 at hotmail.com
Fri Nov 5 13:59:59 UTC 2021
Sorry, accidentally skipped that part, which was sort of important. I think I can use the same fix because the part I skipped is the problem:
X509 *cert;
cert = PEM_read_X509(fp, NULL, 0, NULL);
status = X509_STORE_add_cert(trusted_store,cert);
So, I need to this sequence:
X509 *empty_X509;
empty_X509 = X509_new_ex(non_fips_libctx, NULL);
mycert = PEM_read_X509(fp, &empty_X509, 0, NULL);
To set things up correct, with the appropriate library context.
My apologies, thanks for pointing out my small brain.
This could lead to some tricky changes as currently I set up the trust store before I know if the user wants FIPS or not. I may just set up two stores, or I need to change the order of how I do things.
Thanks,
Jason
________________________________
From: Tomas Mraz <tomas at openssl.org>
Sent: Friday, November 5, 2021 1:52 PM
To: Jason Schultz <jetson23 at hotmail.com>; openssl-users at openssl.org <openssl-users at openssl.org>
Subject: Re: Establishing connection errors
On Fri, 2021-11-05 at 13:48 +0000, Jason Schultz wrote:
> For setting up the trusted store, when the application starts, it
> calls:
>
> ssl_trusted_certs = X509_STORE_new()
>
> ...and then reads all of the certificates in /etc/ssl/certs/ calling
> X509_STORE_add_cert(trusted_store,cert);
>
> ..for each one.
How do you read the certs? They need to be loaded with the appropriate
libctx.
Or you can use for example X509_STORE_load_file_ex() function to load a
file directly with an libctx.
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211105/b866f995/attachment.html>
More information about the openssl-users
mailing list