<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Could it be because your CA-2 has the following: Extended Key Usage - Client Authentication, Server Authentication?</div><div class=""><br class=""></div><div class="">Some fields that in general only apply to end certificates, e.g. name constraints, when used in a CA certificate, are interpreted as constraints on the certificates that can be issued by that CA.</div><div class=""><br class=""></div><div class=""> Erik Tkal</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div><div class="">On Nov 16, 2015, at 11:48 AM, Jayalakshmi bhat <<a href="mailto:bhat.jayalakshmi@gmail.com" class="">bhat.jayalakshmi@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><span style="font-size:12.8px" class="">Hi Matt,</span><div style="font-size:12.8px" class=""><br class=""></div><div style="font-size:12.8px" class="">Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using <span style="font-size:12.8px" class="">X509_VERIFY_PARAM_xxx API's. </span><span style="font-size:12.8px" class="">We are using 4 certificates with the device.</span></div><span class="im" style="font-size:12.8px"><div style="font-size:12.8px" class=""><br class=""></div><div style="font-size:12.8px" class="">1. Root CA- Baltimore CyberTrust Root</div><div style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">2. Intermediate CA-1 - Microsoft Internet Authority</span><br class=""></div><div style="font-size:12.8px" class="">3. Intermediate CA-2 - Microsoft IT SSL SHA2</div><div style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">4. ID certificate - *.</span><a href="http://sharepoint.com/" target="_blank" style="font-size:12.8px" class="">sharepoint.com</a><br class=""></div><div style="font-size:12.8px" class=""><br class=""></div></span><div style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">Intermediate CAs are issued by the above Root CA. </span>Issue is seen when all 4 certificates are installed. Error happens with the intermediate CA-2. check_trust returns X509_TRUST_UNTRUSTED. <span style="font-size:12.8px" class="">However if I do not install intermediate CA-2 things works fine.</span></div><div style="font-size:12.8px" class=""><br class=""></div><div style="font-size:12.8px" class="">Any help is well appreciated.</div><div style="font-size:12.8px" class=""><br class=""></div><div style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">Regards</span></div><div style="font-size:12.8px" class=""><span style="font-size:12.8px" class="">Jayalakshmi</span></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <span dir="ltr" class=""><<a href="mailto:matt@openssl.org" target="_blank" class="">matt@openssl.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br class="">
<br class="">
On 16/11/15 06:52, Jayalakshmi bhat wrote:<br class="">
> Hi Victor,<br class="">
><br class="">
> Thanks a lot for details explanation.<br class="">
><br class="">
> Our device acts as TLS/SSL client. The device receives chain of<br class="">
> certificates as part of SSL handshake, when it is trying to get<br class="">
> connected to TLS/SSL server like sharepoint 365.<br class="">
><br class="">
</span>> While validating the certificate chain from server, "*check_trust"<br class="">
> *fails with X509_V_ERR_CERT_UNTRUSTED.<br class="">
<span class="">><br class="">
> This had been working fine with OpenSSL 1.0.1c.<br class="">
><br class="">
> When I checked the code execution, check_trust was not being called in<br class="">
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.<br class="">
><br class="">
> That is why I wanted to know is it mandatory for the applications to<br class="">
> set X509_VERIFY_PARAM in X509_STORE_CTX<br class="">
<br class="">
<br class="">
</span>Are you able to share the certificates that the server provides you<br class="">
with? Also the root certificate you are using.<br class="">
<br class="">
It is not mandatory to set X509_VERIFY_PARAMs (but typically you at<br class="">
least want to verify the hostname through a call to<br class="">
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this?<br class="">
<span class="HOEnZb"><font color="#888888" class=""><br class="">
Matt<br class="">
</font></span><div class="HOEnZb"><div class="h5">_______________________________________________<br class="">
openssl-users mailing list<br class="">
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class="">
</div></div></blockquote></div><br class=""></div>
<span id="cid:A194F312-5C1C-40FA-90DA-CC115082CA05@cisco.com"><certificates.txt></span>_______________________________________________<br class="">openssl-users mailing list<br class="">To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" class="">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br class=""></div></div><br class=""></body></html>