[openssl-users] OpenSSL 1.0.2d X509_verify_cert function does not work as used to with chain of certificates

E T etksubs at gmail.com
Mon Nov 16 21:37:02 UTC 2015

Could it be because your CA-2 has the following: Extended Key Usage - Client Authentication, Server Authentication?

Some fields that in general only apply to end certificates, e.g. name constraints, when used in a CA certificate, are interpreted as constraints on the certificates that can be issued by that CA.

  Erik Tkal

On Nov 16, 2015, at 11:48 AM, Jayalakshmi bhat <bhat.jayalakshmi at gmail.com> wrote:

Hi Matt,

Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with the device.

1. Root CA- Baltimore CyberTrust Root
2. Intermediate CA-1 - Microsoft Internet Authority
3. Intermediate CA-2 - Microsoft IT SSL SHA2
4. ID certificate - *.sharepoint.com <http://sharepoint.com/>

Intermediate CAs are issued by the above Root CA. Issue is seen when all 4 certificates are installed. Error happens with the intermediate CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not install intermediate CA-2 things works fine.

Any help is well appreciated.


On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <matt at openssl.org <mailto:matt at openssl.org>> wrote:

On 16/11/15 06:52, Jayalakshmi bhat wrote:
> Hi Victor,
> Thanks a lot for details explanation.
> Our device acts as TLS/SSL client.  The device receives chain of
> certificates as part of SSL handshake, when it is trying to get
> connected to TLS/SSL server like sharepoint 365.
> While validating the certificate chain from server, "*check_trust"
> *fails with X509_V_ERR_CERT_UNTRUSTED.
> This had been working fine with OpenSSL 1.0.1c.
> When I checked the code execution, check_trust was not being called  in
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
> That is why I wanted to know is it mandatory for the applications to

Are you able to share the certificates that the server provides you
with? Also the root certificate you are using.

It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
least want to verify the hostname through a call to
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this?

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users <https://mta.openssl.org/mailman/listinfo/openssl-users>

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/888fceda/attachment.html>

More information about the openssl-users mailing list