openssl certificate verification question

Thu, 16 Aug 2007 12:50:34 -0700 

dear list,
i'm having a real adventure trying to get gsoap & openssl to behave consistently and i would appreciate some pointers before i run out of hair completely. 


i'm on MacOS X 10.4.9 but i shifted over to Linux Fedora Core 2 
because debugging on the Mac is impossible thanks to the linker's 
insistence on linking the dylib version of the SSL library instead of 
the one i built from scratch and linked the program against. sigh. i 
have openssl 0.9.8a.



initially my symptoms were that memory allocation routines were 
failing inside ssl23_connect(). i eventually tracked this down to the 
optimiser being a bit over-enthusiastic (on *both* platforms, maybe 
this is a wide-spread GCC problem), and after rebuilding the openssl 
library with the -O3 flag turned off, i get no weird problems like 
that - but i'm now getting certificate verification errors.



my next step was to extract the openssl calls that gsoap was making 
and put them in a micro-app. the source for this app, which is 
definitely hacky test app code IYKWIM, is here -


http://www.redfish.net/ssl2_safe.c


- i've taken out the name of the server i'm connecting to because i 
work for a stealth mode startup.



anyway, the micro-app works fine and can happily read & write content 
over the SSL connection. running through the two apps with the 
debugger, it seems like the ssl3_get_server_certificate() routine 
errors out in the real program, but is happy in the micro-app. i 
should also say here that all the browsers i know of, and the Windows 
version of this application, and our Java webservices clients, are 
all 100% happy with the certificate setup on the server.



so my question is -- could gsoap be doing some openssl setup 
somewhere that affects whether the certificate passes muster? under 
what circumstances could a certificate be OK to one openssl client 
but not another? is there a "strictness" control i could manipulate?


thanks much for any help with this.

jason

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]














    











					Reply via email to