<div dir="ltr">Thanks Victor.<div><br></div><div>Could you explain the reason in below cases? These are in cases when we use both the APIs as mentioned above.</div><div><br></div><div>cert_file : Server's certifcate</div><div>chain_file: Complete certificate chain; starting with Server's certifcate, followed by intermediate CA certificate and ending with Root CA certificate</div><div><br></div><div><br></div><div>Scenario 1 - Failing case</div><div><br></div><div><span style="font-size:12.8000001907349px">SSL_CTX_use_certificate_file(</span><span style="font-size:12.8000001907349px">) : Loaded cert_file</span><br></div><div><span style="font-size:12.8000001907349px">SSL_CTX_use_certificate_</span><span style="font-size:12.8000001907349px">chain_file() : Loaded </span>chain_file<span style="font-size:12.8000001907349px"><br></span></div><div><br></div><div>Test: When tried to connect to the server, only Server's certificate and Root CA certificate were presented in the CERTIFICATE message of the handshake; intermediate CA certificates were missing.</div><div><br></div><div><div>Scenario 2 - Successful case</div><div><br></div><div><span style="font-size:12.8000001907349px">SSL_CTX_use_certificate_file(</span><span style="font-size:12.8000001907349px">) : Loaded chain_file</span><br></div><div><span style="font-size:12.8000001907349px">SSL_CTX_use_certificate_</span><span style="font-size:12.8000001907349px">chain_file() : Loaded </span>chain_file<span style="font-size:12.8000001907349px"><br></span></div><div><br></div><div>Test: When tried to connect to the server, complete certificate chain was presented in the CERTIFICATE message of the handshake.</div></div><div><br></div><div><span style="font-size:12.8000001907349px"><br></span></div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 27, 2016 at 10:08 PM, Viktor Dukhovni <span dir="ltr"><<a href="mailto:openssl-users@dukhovni.org" target="_blank">openssl-users@dukhovni.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote:<br>
<br>
> Can we use both the following APIs in the same application to load<br>
> certificate to the SSL context?<br>
><br>
</span>> *SSL_CTX_use_certificate_file()*<br>
> *SSL_CTX_use_certificate_chain_file()*<br>
<br>
For any given certificate chain use either one or the other, but<br>
in many cases SSL_CTX_use_certificate_chain_file() is the more<br>
convenient choice.<br>
<span class=""><br>
> If we can how to use them?<br>
<br>
</span> ERR_clear_error();<br>
if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {<br>
/* Handle error */<br>
}<br>
if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {<br>
/* Handle error */<br>
}<br>
if (!SSL_CTX_check_private_key(ctx)) {<br>
/* Handle error */<br>
}<br>
/* Success */<br>
<br>
See the SSL_CTX_use_certificate(3) manpage for a more detailed<br>
description.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Viktor.<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</font></span></blockquote></div><br></div>