Establishing connection errors

Jason Schultz jetson23 at
Fri Nov 5 13:59:59 UTC 2021

Sorry, accidentally skipped that part, which was sort of important. I think I can use the same fix because the part I skipped is the problem:

X509          *cert;
cert = PEM_read_X509(fp, NULL, 0, NULL);
status = X509_STORE_add_cert(trusted_store,cert);

So, I need to this sequence:

X509 *empty_X509;
empty_X509 = X509_new_ex(non_fips_libctx, NULL);
mycert = PEM_read_X509(fp, &empty_X509, 0, NULL);

To set things up correct, with the appropriate library context.

My apologies, thanks for pointing out my small brain.

This could lead to some tricky changes as currently I set up the trust store before I know if the user wants FIPS or not. I may just set up two stores, or I need to change the order of how I do things.



From: Tomas Mraz <tomas at>
Sent: Friday, November 5, 2021 1:52 PM
To: Jason Schultz <jetson23 at>; openssl-users at <openssl-users at>
Subject: Re: Establishing connection errors

On Fri, 2021-11-05 at 13:48 +0000, Jason Schultz wrote:
> For setting up the trusted store, when the application starts, it
> calls:
> ssl_trusted_certs = X509_STORE_new()
> ...and then reads all of the certificates in /etc/ssl/certs/ calling

> X509_STORE_add_cert(trusted_store,cert);
> ..for each one.

How do you read the certs? They need to be loaded with the appropriate

Or you can use for example X509_STORE_load_file_ex() function to load a
file directly with an libctx.

Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list