Jorge, On the server, you can copy all the public certs i.e. the intermediates and the root into one PEM file. That will send everything down to the client.
Best, Somesh On Tuesday, May 21, 2013, Jorge Ventura wrote: > I have an application (server) that is working using SSLv23 with a > regular certificate. Now I have to use one chain of two intermediate > certificates but for any reason, openssl library is not sending the > chain and the only way to work correctly is when I inform to the > client side about the intermediate. > > If I am understanding correctly, as long as the client trust in the > last certificate, it will trust on all intermediate. > > Below is a result using the command "openssl s_client ...". > > The client has only the Equifax root certificate; all other GeoTrust > are intermediate. The file cacerts.pem in the command below has the > two intermediate informed to force the command to succeed but in the > real case, I don't have such information at client side. > > Because the client trust the connection when I inform the > intermediate, I suppose the server is not sending the intermediate, > only the first certificate in the chain and in this case the command > fail. > > > $ openssl s_client -connect 10.10.10.10:443 -verify 5 -state -CAfile > cacerts.pem > verify depth is 5 > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:SSLv3 read server hello A > depth=3 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority > verify return:1 > depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA > verify return:1 > depth=1 /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > verify return:1 > depth=0 > /serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior > Lake/O=ACME, INC/CN=www.acme.com > verify return:1 > SSL_connect:SSLv3 read server certificate A > SSL_connect:SSLv3 read server done A > SSL_connect:SSLv3 write client key exchange A > SSL_connect:SSLv3 write change cipher spec A > SSL_connect:SSLv3 write finished A > SSL_connect:SSLv3 flush data > SSL_connect:SSLv3 read finished A > CONNECTED(00000003) > --- > Certificate chain > 0 > s:/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior > Lake/O=ACME, INC/CN=www.acme.com > i:/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > --- > Server certificate > -----BEGIN CERTIFICATE----- > (the server certificate) > -----END CERTIFICATE----- > > subject=/serialNumber=Tf20oDIbWDBfuhDWLEg4DfACRMOBnxA4/C=US/ST=Minnesota/L=Prior > Lake/O=ACME, INC/CN=www.acme.com > issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA > --- > No client certificate CA names sent > --- > SSL handshake has read 1539 bytes and written 447 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 5FB55650BEEAE091441A5CEF4047A0243EE9D57AE8F0485CC1F951E2E97CAE06 > Session-ID-ctx: > Master-Key: > > 06B036B9D47B297D2086CB6370108BB60102CD0FD7649F92351E15324D96E8614C566BF9040296177E2BDCA0A189472C > Key-Arg : None > Start Time: 1369178367 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > read:errno=0 > SSL3 alert write:warning:close notify > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org<javascript:;> > Automated List Manager > majord...@openssl.org<javascript:;> >
