On 8/3/12, Dr. Stephen Henson <st...@openssl.org> wrote: > On Fri, Aug 03, 2012, Saurabh Pandya wrote: > >> Hi all, >> >> I am using server certificate "X" problematically with following API for >> each >> SSL * session. X is dynamically generated for each client, when its CA(s) >> as always same. >> >> SSL_use_certificate(this_ssl, X); >> >> It works fine when there is single CA certificate "A" who sign "X", >> >> but when I want to use intermediate CA "B" child of "A", then >> I am sure above API wont work. >> >> To make it work I found following APIs from documentation. >> 1) int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char >> *file); >> 2) long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509) >> 3) int SSL_use_certificate_file(SSL *ssl, const char *file, int type); >> >> But seems 1 & 2 both works only on SSL_CTX *while I need API that work on >> SSL * >> , I want to give different certificate chain for each client. >> >> And 3 wont be applicable for me as I am loading certificates from memory >> and not >> from the file. >> >> Have anybody any idea how to load several certificates to SSL *ssl, to >> form >> complete Chain (note: I have my all CA certificates "A" and "B" in >> memory). >> > > For currently released versions of OpenSSL this isn't possible directly: > there > is one chain of extra certificates which is associated with the parent > SSL_CTX. > > The latest HEAD code supports per SSL chains and indeed distinct chains per > certificate type. That functionality will most likely be ported to OpenSSL > 1.0.2 at some point before it is released.
Batter to hear that support is likely to come with next versions.. Currently I managed with "long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)", but Its applicable to whole SSL_CTX, and not per SSL *. Batter for wait till next version. Thanks, Saurabh > > For released versions of OpenSSL there is a workaround to add all the CA > certificates you might need to the parent SSL_CTX trusted store. Then when > a > connection is established the chain is built up automatically using the > correct chain. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
