<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">
<p>At most one of CA-1 and CA-2 would be part of the chain from
Baltimore to the end cert.<br>
</p>
<p>However your end cert (apparently for hosted Sharepoint
services) was issued by a 3rd MSIT CA that was not provided. If
it wasn't provided to the code either, the chain would not
validate for that reason alone.<br>
</p>
<p>I also note that none of the certs in the chain contain any
Authority Information Access (AIA) extension (issuer certificate
download URL and OCSP URL) only a CRL URL extension, which
wouldn't be normal MS practice (Certificate revocation cannot be
detected by some browsers that use only OCSP and the automatic
certificate download done by some Microsoft Windows Security
Support Providers (such as CredSSP) won't work).<br>
</p>
<p>Oh and you are not posting from an official Microsoft e-mail
address either.<br>
</p>
<p>Something seems very odd here.<br>
</p>
On 16/11/2015 17:48, Jayalakshmi bhat wrote:<br>
</div>
<blockquote class=" cite"
id="mid_CALq8RvLm9q6oFdEyDLJpAogK_Q6QAav_H_AbWupsdCMzOL830Q_mail_gmail_com"
cite="mid:CALq8RvLm9q6oFdEyDLJpAogK+Q6QAav_H+AbWupsdCMzOL830Q@mail.gmail.com"
type="cite">
<div dir="ltr"><span style="font-size:12.8px">Hi Matt,</span>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Thank you for the response. I have
attached the certificates details. My apology I am not
supposed to share the certificates. We are not using <span
style="font-size:12.8px">X509_VERIFY_PARAM_xxx API's. </span><span
style="font-size:12.8px">We are using 4 certificates with
the device.</span></div>
<span class="im" style="font-size:12.8px">
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">1. Root CA- Baltimore CyberTrust
Root</div>
<div style="font-size:12.8px"><span style="font-size:12.8px">2.
Intermediate CA-1 - Microsoft Internet Authority</span><br>
</div>
<div style="font-size:12.8px">3. Intermediate CA-2 - Microsoft
IT SSL SHA2</div>
<div style="font-size:12.8px"><span style="font-size:12.8px">4.
ID certificate - *.</span><a moz-do-not-send="true"
href="http://sharepoint.com/" target="_blank"
style="font-size:12.8px">sharepoint.com</a><br>
</div>
<div style="font-size:12.8px"><br>
</div>
</span>
<div style="font-size:12.8px"><span style="font-size:12.8px">Intermediate
CAs are issued by the above Root CA. </span>Issue is seen
when all 4 certificates are installed. Error happens with the
intermediate CA-2. check_trust returns X509_TRUST_UNTRUSTED. <span
style="font-size:12.8px">However if I do not install
intermediate CA-2 things works fine.</span></div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px">Any help is well appreciated.</div>
<div style="font-size:12.8px"><br>
</div>
<div style="font-size:12.8px"><span style="font-size:12.8px">Regards</span></div>
<div style="font-size:12.8px"><span style="font-size:12.8px">Jayalakshmi</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Nov 16, 2015 at 2:52 PM, Matt
Caswell <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:matt@openssl.org" target="_blank">matt@openssl.org</a>></span>
wrote:<br>
<blockquote id="Cite_7427298" class="gmail_quote cite"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span class=""><br>
<br>
On 16/11/15 06:52, Jayalakshmi bhat wrote:<br>
> Hi Victor,<br>
><br>
> Thanks a lot for details explanation.<br>
><br>
> Our device acts as TLS/SSL client. The device
receives chain of<br>
> certificates as part of SSL handshake, when it is
trying to get<br>
> connected to TLS/SSL server like sharepoint 365.<br>
><br>
</span>> While validating the certificate chain from
server, "*check_trust"<br>
> *fails with X509_V_ERR_CERT_UNTRUSTED.<br>
<span class="">><br>
> This had been working fine with OpenSSL 1.0.1c.<br>
><br>
> When I checked the code execution, check_trust was
not being called in<br>
> OpenSSL 1.0.1c as "if (param->trust > 0)" was
not satisfied.<br>
><br>
> That is why I wanted to know is it mandatory for the
applications to<br>
> set X509_VERIFY_PARAM in X509_STORE_CTX<br>
<br>
<br>
</span>Are you able to share the certificates that the
server provides you<br>
with? Also the root certificate you are using.<br>
<br>
It is not mandatory to set X509_VERIFY_PARAMs (but typically
you at<br>
least want to verify the hostname through a call to<br>
"X509_VERIFY_PARAM_set1_host"). Are you currently do
anything like this?<br>
<span class="HOEnZb"><font color="#888888"></font></span>
</blockquote>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="https://www.wisemo.com">https://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>