>From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah >Sent: Friday, 24 May, 2013 19:48
>I add the server certificate in PEM format to the SSL store using [] >X509_STORE_add_cert(SSL_CTX_get_cert_store(pctx), x509cert); I assume you mean to the truststore of the (or a) client, since that's the only party that normallyh will validate it. The argument to _add_cert is internal format (X509* = struct x509_st*). You may have converted it *from* PEM, or DER, or even something else. >The SSL_get_verify_result(SSL handle); always seems to return >error code 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. You only get verify 20 if the server cert is NOT selfsigned. If the server cert is not selfsigned, putting it in the client truststore is completely useless. If the server cert is issued by a CA (not selfsigned) then an openssl client's trustore must include the root cert of that CA (which is selfsigned) but need not and should not include the server EE cert. In addition, if the server cert requires any intermediate "chain" certs between it and the CA's root, the server should send them. But if due to server misconfiguration or limitation it does not, openssl client can fill them in iff they are in the truststore, and link uniquely. The server should have the CA root and any intermediate(s), but if it doesn't or you can't get them, or you just prefer to, you can normally get them directly from the CA. Commandline s_client lists the known part of the chain even though it doesn't validate, which should give you a hint where to look. Otherwise take the received cert (and intermediate(s) with -showcerts) and run (each) through commandline x509 -noout -text to see Policy CRLDP AIA. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
