Re: How to add intermediate certificate chain in SSL_CTX using OpenSSL API

Sat, 08 Mar 2014 07:01:28 -0800 

Thank you for your reply Meer.

In my case cert.pem file contains private key too.
I wan to understand if I have to be use intermediate certificates in SSL
handshake is there any specific way in which we have to populate SSL_CTX
structure?

I have tried using SSL_CTX_use_certificate_chain_file() API. Is this the
right way?







On Fri, Mar 7, 2014 at 11:30 PM, B. Meeker <bmeeke...@buckeye-express.com>wrote:

> Harshal,
>
> Check parameter 2 on SSL_CTX_use_PrivateKey_file().  It should be a
> pointer to the name of the file that contains the private key, not the
> certificate file.
>
> As an example on my (working) prototype server I use the following:
>
> // Define whatever ciphers you want.  I used AES-128.  Client cipher list
> should match.
> #define CIPHER_LIST "AES-128"
>
> if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) Hello,
> >
> >I am creating a SSL server /client architecture.
> >Wherein I am using code similar to mentioned below for populating my
> Server's SSL_CTX
> >
> >        ret = SSL_CTX_use_certificate_file(sslctx, "/tmp/certs.pem",
> SSL_FILETYPE_PEM);
> >        if(ret != 1)
> >        {
> >           return false;
> >        }
> >
> >        ret = SSL_CTX_use_PrivateKey_file(sslctx, /tmp/certs.pem,
> SSL_FILETYPE_PEM);
> >        if(ret != 1)
> >        {
> >            return false;
> >        }
> >        ret = SSL_CTX_check_private_key(sslctx);
> >        if(ret != 1)
> >        {
> >            return false;
> >        }
> >        ret = SSL_CTX_load_verify_locations(sslctx, "/tmp/ca.pem", NULL);
> >        if(ret != 1)
> >        {
> >            return false ;
> >        }
> >
> >
> >I have certs.pem file with root server certificate
> >ca.pem file with CA certificate
> >and chain.pem file with intermediate certificates.
> >
> >I tried to add these intermediate certifcates from chain.pem in my
> SSL_CTX cert store to be used at the time of SSL handshake with client.
> >
> >One of the way was to use "SSL_CTX_use_certificate_chain_file" method
> >But when I tried using it with above mentioned code ssl handshake failed
> with following error,
> >"SSL_write() error - error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
> shared cipher"
> >
> >Removing this steps SSL handshake seem to work fine.
> >
> >Can you please help me understand what is going wrongs?
> >
> >Any troubleshooting pointers will be great help.
> >
> >Thanks in advance
> >-Harshal
> >
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>

Reply via email to