<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=windows-1252">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">
<p>Probably not, that constraint is satisfied since this is
SSL/TLS and the end cert has that same EKU.</p>
On 16/11/2015 22:37, E T wrote:<br>
</div>
<blockquote class=" cite"
id="mid_00EEC723_F129_4B6D_BB07_5EB350440A5C_gmail_com"
cite="mid:00EEC723-F129-4B6D-BB07-5EB350440A5C@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div class="">Could it be because your CA-2 has the following:
Extended Key Usage - Client Authentication, Server
Authentication?</div>
<div class=""><br class="">
</div>
<div class="">Some fields that in general only apply to end
certificates, e.g. name constraints, when used in a CA
certificate, are interpreted as constraints on the certificates
that can be issued by that CA.</div>
<div class=""><br class="">
</div>
<br>
<div>
<div class="">On Nov 16, 2015, at 11:48 AM, Jayalakshmi bhat
<<a moz-do-not-send="true"
href="mailto:bhat.jayalakshmi@gmail.com" class="">bhat.jayalakshmi@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class=""><span style="font-size:12.8px"
class="">Hi Matt,</span>
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class="">Thank you for the
response. I have attached the certificates details. My
apology I am not supposed to share the certificates. We
are not using <span style="font-size:12.8px" class="">X509_VERIFY_PARAM_xxx
API's. </span><span style="font-size:12.8px" class="">We
are using 4 certificates with the device.</span></div>
<span class="im" style="font-size:12.8px">
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class="">1. Root
CA- Baltimore CyberTrust Root</div>
<div style="font-size:12.8px" class=""><span
style="font-size:12.8px" class="">2. Intermediate CA-1
- Microsoft Internet Authority</span><br class="">
</div>
<div style="font-size:12.8px" class="">3. Intermediate
CA-2 - Microsoft IT SSL SHA2</div>
<div style="font-size:12.8px" class=""><span
style="font-size:12.8px" class="">4. ID certificate
- *.</span><a moz-do-not-send="true"
href="http://sharepoint.com/" target="_blank"
style="font-size:12.8px" class="">sharepoint.com</a><br
class="">
</div>
<div style="font-size:12.8px" class=""><br class="">
</div>
</span>
<div style="font-size:12.8px" class=""><span
style="font-size:12.8px" class="">Intermediate CAs are
issued by the above Root CA. </span>Issue is seen when
all 4 certificates are installed. Error happens with the
intermediate CA-2. check_trust returns
X509_TRUST_UNTRUSTED. <span style="font-size:12.8px"
class="">However if I do not install intermediate CA-2
things works fine.</span></div>
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class="">Any help is well
appreciated.</div>
<div style="font-size:12.8px" class=""><br class="">
</div>
<div style="font-size:12.8px" class=""><span
style="font-size:12.8px" class="">Regards</span></div>
<div style="font-size:12.8px" class=""><span
style="font-size:12.8px" class="">Jayalakshmi</span></div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Mon, Nov 16, 2015 at 2:52 PM,
Matt Caswell <span dir="ltr" class=""><<a
moz-do-not-send="true" href="mailto:matt@openssl.org"
target="_blank" class=""><a class="moz-txt-link-abbreviated" href="mailto:matt@openssl.org">matt@openssl.org</a></a>></span>
wrote:<br class="">
<blockquote id="Cite_3150833" class="gmail_quote cite"
style="margin:0 0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex"><span class=""><br class="">
<br class="">
On 16/11/15 06:52, Jayalakshmi bhat wrote:<br class="">
> Hi Victor,<br class="">
><br class="">
> Thanks a lot for details explanation.<br class="">
><br class="">
> Our device acts as TLS/SSL client. The device
receives chain of<br class="">
> certificates as part of SSL handshake, when it is
trying to get<br class="">
> connected to TLS/SSL server like sharepoint 365.<br
class="">
><br class="">
</span>> While validating the certificate chain from
server, "*check_trust"<br class="">
> *fails with X509_V_ERR_CERT_UNTRUSTED.<br class="">
<span class="">><br class="">
> This had been working fine with OpenSSL 1.0.1c.<br
class="">
><br class="">
> When I checked the code execution, check_trust
was not being called in<br class="">
> OpenSSL 1.0.1c as "if (param->trust > 0)"
was not satisfied.<br class="">
><br class="">
> That is why I wanted to know is it mandatory for
the applications to<br class="">
> set X509_VERIFY_PARAM in X509_STORE_CTX<br
class="">
<br class="">
<br class="">
</span>Are you able to share the certificates that the
server provides you<br class="">
with? Also the root certificate you are using.<br
class="">
<br class="">
It is not mandatory to set X509_VERIFY_PARAMs (but
typically you at<br class="">
least want to verify the hostname through a call to<br
class="">
"X509_VERIFY_PARAM_set1_host"). Are you currently do
anything like this?<br class="">
<span class="HOEnZb"><font class="" color="#888888"></font></span>
</blockquote>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. <a class="moz-txt-link-freetext" href="https://www.wisemo.com">https://www.wisemo.com</a>
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded </pre>
</body>
</html>