<div dir="ltr">Hi Victor,<div><br></div><div>First thing kindly note that I am talking about <b>OpenSSL-1.0.1c</b> not about OpenSSL 1.0.2c. </div><div><br></div><div>So far we were using <b>OpenSSL-1.0.1c</b> and server validation was working fine.<b> </b>Recently we upgraded the OpenSSL library to <b>OpenSSL-1.0.2d. </b></div><div><b><br></b></div><div>Also we have not done any modification to the SSL client application that is using the OpenSSL library. </div><div><br></div><div>We started seeing server certificate validation failures only for chain of certificate i.e. roota->intermediate ca->id certificate. </div><div><br></div><div>We are not seeing any issues when only rootca->cerificate is used.</div><div><br></div><div><br></div><div>Regards</div><div>Jayalakshmi</div><div><b><br></b></div><div><br></div><div><b><br></b></div><div><br></div><div>Regards</div><div>Jayalakshmi</div><div><b><br></b></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Nov 16, 2015 at 12:35 PM, Viktor Dukhovni <span dir="ltr"><<a href="mailto:openssl-users@dukhovni.org" target="_blank">openssl-users@dukhovni.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote:<br>
<br>
> > You should probably explain what you're doing, and in what way OpenSSL 1.0.2<br>
> > (all upstream versions) is not working the way you expect.<br>
<br>
</span><span class="">On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote:<br>
<br>
> Our device acts as TLS/SSL client. The device receives chain of<br>
> certificates as part of SSL handshake, when it is trying to get connected<br>
> to TLS/SSL server like sharepoint 365.<br>
<br>
</span>This is not a plausibly detailed explanation of how you're using<br>
OpenSSL in your device.<br>
<br>
> While validating the certificate chain from server, "*check_trust" *fails<br>
> with X509_V_ERR_CERT_UNTRUSTED.<br>
<br>
OpenSSL 1.0.2 is broadly used, with no similar problem reports.<br>
You're probably doing something atypical, and need to explain in<br>
technical detail how you're configuring certificate verification.<br>
<span class=""><br>
> This had been working fine with OpenSSL 1.0.1c.<br>
<br>
</span>You can download <a href="http://openssl.org/source/old/1.0.2/openssl-1.0.2c.tar.gz" rel="noreferrer" target="_blank">http://openssl.org/source/old/1.0.2/openssl-1.0.2c.tar.gz</a><br>
for yourself and check that the code you claim to make the difference<br>
is simply not there. If 1.0.2c is working and 1.0.2d is not, either<br>
you're using a modified 1.0.2c (seek support from whoever made the<br>
changes) or the problem lies elsewhere.<br>
<span class=""><br>
> When I checked the code execution, check_trust was not being called in<br>
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.<br>
<br>
</span>This is simply irrelevant, the change in question predates the<br>
1.0.2 base version.<br>
<span class=""><br>
> That is why I wanted to know is it mandatory for the applications to<br>
> set X509_VERIFY_PARAM in X509_STORE_CTX<br>
<br>
</span>The question has a false premise and so makes no sense. Rather<br>
you need to forget about (param->trust) and focus on why your<br>
application is failing to verify the peer certificate.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Viktor.<br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div>