[openssl-users] SSL_CTX_load_verify_locations only with CAPath

Dr. Roger Cuypers roger.cuypers at technisat.de
Fri Jul 3 15:01:08 UTC 2015


Hello there,

I'm trying to do peer client verification using the SSL_CTX_load_verify_locations function in conjunction with the SSL_get_peer_certificate and SSL_get_verify_result function. If I SSL_get_verify_result call this way setting CAFile, it will work for me:

SSL_CTX_load_verify_locations( sslContext, "D:\\certs\\-.wikipedia.org.crt", NULL );

However, setting only CAPath will not:

SSL_CTX_load_verify_locations( sslContext, NULL, "D:\\certs" );

This will result in a X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY error.

The cert directory D:\\certs looks like this:

-.wikipedia.org.crt
ca_client.jks
ca_server.jks

My expectation would be that the library uses -.wikipedia.org.crt
As it is the only certificate available or am I doing something wrong?

API is openssl-1.0.2c.

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150703/d94c13ba/attachment.html>


More information about the openssl-users mailing list