[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates
matt at openssl.org
Mon Nov 16 09:22:38 UTC 2015
On 16/11/15 06:52, Jayalakshmi bhat wrote:
> Hi Victor,
> Thanks a lot for details explanation.
> Our device acts as TLS/SSL client. The device receives chain of
> certificates as part of SSL handshake, when it is trying to get
> connected to TLS/SSL server like sharepoint 365.
> While validating the certificate chain from server, "*check_trust"
> *fails with X509_V_ERR_CERT_UNTRUSTED.
> This had been working fine with OpenSSL 1.0.1c.
> When I checked the code execution, check_trust was not being called in
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
> That is why I wanted to know is it mandatory for the applications to
> set X509_VERIFY_PARAM in X509_STORE_CTX
Are you able to share the certificates that the server provides you
with? Also the root certificate you are using.
It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
least want to verify the hostname through a call to
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this?
More information about the openssl-users