<div dir="ltr"><span style="font-size:12.8px">Hi Matt,</span><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using <span style="font-size:12.8px">X509_VERIFY_PARAM_xxx API's. </span><span style="font-size:12.8px">We are using 4 certificates with the device.</span></div><span class="im" style="font-size:12.8px"><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">1. Root CA- Baltimore CyberTrust Root</div><div style="font-size:12.8px"><span style="font-size:12.8px">2. Intermediate CA-1 - Microsoft Internet Authority</span><br></div><div style="font-size:12.8px">3. Intermediate CA-2 - Microsoft IT SSL SHA2</div><div style="font-size:12.8px"><span style="font-size:12.8px">4. ID certificate - *.</span><a href="http://sharepoint.com/" target="_blank" style="font-size:12.8px">sharepoint.com</a><br></div><div style="font-size:12.8px"><br></div></span><div style="font-size:12.8px"><span style="font-size:12.8px">Intermediate CAs are issued by the above Root CA. </span>Issue is seen when all 4 certificates are installed. Error happens with the intermediate CA-2. check_trust returns X509_TRUST_UNTRUSTED. <span style="font-size:12.8px">However if I do not install intermediate CA-2 things works fine.</span></div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">Any help is well appreciated.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px"><span style="font-size:12.8px">Regards</span></div><div style="font-size:12.8px"><span style="font-size:12.8px">Jayalakshmi</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <span dir="ltr"><<a href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On 16/11/15 06:52, Jayalakshmi bhat wrote:<br>
> Hi Victor,<br>
><br>
> Thanks a lot for details explanation.<br>
><br>
> Our device acts as TLS/SSL client. The device receives chain of<br>
> certificates as part of SSL handshake, when it is trying to get<br>
> connected to TLS/SSL server like sharepoint 365.<br>
><br>
</span>> While validating the certificate chain from server, "*check_trust"<br>
> *fails with X509_V_ERR_CERT_UNTRUSTED.<br>
<span class="">><br>
> This had been working fine with OpenSSL 1.0.1c.<br>
><br>
> When I checked the code execution, check_trust was not being called in<br>
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.<br>
><br>
> That is why I wanted to know is it mandatory for the applications to<br>
> set X509_VERIFY_PARAM in X509_STORE_CTX<br>
<br>
<br>
</span>Are you able to share the certificates that the server provides you<br>
with? Also the root certificate you are using.<br>
<br>
It is not mandatory to set X509_VERIFY_PARAMs (but typically you at<br>
least want to verify the hostname through a call to<br>
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this?<br>
<span class="HOEnZb"><font color="#888888"><br>
Matt<br>
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div>