RE: Openssl server certificates validation error

Fri, 18 Jan 2013 17:05:28 -0800 

Pls, see my comments below.

-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dave Thompson
Sent: Friday, January 18, 2013 7:55 PM
To: openssl-users@openssl.org
Subject: RE: Openssl server certificates validation error

>From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah
>Sent: Friday, 18 January, 2013 17:54

>I am having problem with server certificate verification the
>SSL_get_verify_result() returns Error code 20.

>I add a (xx.cert) file to the window certificate store as follow.<snip>

>On OpenSSL startup, the file is read from window certifcate store and
>saved into the X509 certificate store. <snip>

Is that X509_STORE *the* store in the (relevant) SSL_CTX? [HS] Yes

What cert is xx.cert? [HS] xx.cert is a self-signed certificate file generated 
in Win2012 server.

To verify a server handshake against a store containing one cert, that cert 
must be the CA root cert used by the server cert, and the server must include 
any/all chain certs (which it should, that's best practice, but some don't).

OpenSSL does not currently support trust anchors other than roots, as for 
example IE (or maybe stunnel, I'm not sure) and Firefox do, although there have 
been recent posts indicating it will in the future.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


This e-mail message and all attachments transmitted with it may contain legally 
privileged and confidential information intended solely for the use of the 
addressee. If you are not the intended recipient, you are hereby notified that 
any reading, dissemination, distribution, copying, or other use of this message 
or its attachments is strictly prohibited.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to