[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

Matt Caswell matt at openssl.org
Mon Nov 16 09:22:38 UTC 2015

On 16/11/15 06:52, Jayalakshmi bhat wrote:
> Hi Victor,  
> Thanks a lot for details explanation.
> Our device acts as TLS/SSL client.  The device receives chain of
> certificates as part of SSL handshake, when it is trying to get
> connected to TLS/SSL server like sharepoint 365.
> While validating the certificate chain from server, "*check_trust"
> *fails with X509_V_ERR_CERT_UNTRUSTED. 
> This had been working fine with OpenSSL 1.0.1c. 
> When I checked the code execution, check_trust was not being called  in
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
> That is why I wanted to know is it mandatory for the applications to

Are you able to share the certificates that the server provides you
with? Also the root certificate you are using.

It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
least want to verify the hostname through a call to
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this?


More information about the openssl-users mailing list