Hi
it seems that you could use the following functions :
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list);
-> sets the list of trusted CA sent to client (here Rapid SSL CA and pit-ca)
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char
*CApath);
-> the CApath should point to a folder where certificates of both CAs are stored
OpenSSL should be able to recover the certificate chain by itself
Hope it works
Nico
----- Mail d'origine -----
De: Hafedh TRIMECHE <hafedh.trime...@gmail.com>
À: openssl-users@openssl.org
Envoyé: Thu, 12 Jun 2014 09:49:49 +0200 (CEST)
Objet: Re: 2 Server certificates
I used this pascal procedure to handle other CAs
procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString);
var
x509 : pX509;
begin
{ The next four functions are only useful for TLS/SSL servers.
f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_add_client_CA : function(ssl: PSSL; CaCert:
PX509): Integer; cdecl = nil; //AG
f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
f_SSL_set_client_CA_list : procedure(s: PSSL; List:
PSTACK_OF_X509_NAME); cdecl = nil; //AG
}
CA := Trim(CA);
Root := Trim(Root);
if (CA='') or (Root='') then Exit;
FCS.Lock;
try
x509 := BlobToX509(CA);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
x509 := BlobToX509(Root);
X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509);
SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509);
SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509);
except
end;
FCS.Unlock;
end;
and I obtained this log
Thank you to guide me set suitable procedure to accept connection from
client which the certificate is issued by the second CA (pit-ca) not
RapidSSL CA
Regards
-----------------------------------------------------------------------------------------------------------------------------------------
D:\Developer\Tools\SSL\OpenSSL>openssl s_client -showcerts -connect
localhost:44
30
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(00000170)
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018,
OU = S
ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated -
RapidSS
L(R), CN = secure.payerspot.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
www.rap
idssl.com/resources/cps (c)13/OU=Domain Control Validated -
RapidSSL(R)/CN=secur
e.payerspot.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj
dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw
MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO
CdcgAfhbyfVKA1azIxDsRNvf2A50yPTJGKT54r8H53q0a26RLHjTICfLQnfw0ala
o9DTC5zcZ0IoibTXC6XmxOsQyoOJ1qavgKUloZHFEj9uHWRKEAaUUX/nQ0x7nTlL
uXhQrzWFAqCawA2pElvehrsdvQKlVbeXCKfKptDuNkMcDhMNQhDp9mBG8yNn5bd3
zLxIs0R9H/SpeCS314xwj4MKwwcwV8wTt7heekASQ85/IMSp27HdlOTWZYNZZWdJ
8EA6+wnhVpUxDgea/HG9GffSRc21hCSSBmxuQklLpYOmLww3YbECAwEAAaOCAa8w
ggGrMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIU
c2VjdXJlLnBheWVyc3BvdC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3Jh
cGlkc3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0O
BBYEFKQx20IXCPfRhermzmPBd4Qp+2xBMAwGA1UdEwEB/wQCMAAweAYIKwYBBQUH
AQEEbDBqMC0GCCsGAQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVz
dC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3Qu
Y29tL3JhcGlkc3NsLmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr
BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczAN
BgkqhkiG9w0BAQUFAAOCAQEAgDs51+io4xWWYrR9LhMv5Ks8URfluQPFO2FUA6PI
KjOoQwLr2pa5u1mxwlkZC4j5g0uf9Afis6iVkhHMiI3fkf17sdPq/jnU7lj0sjgW
WaJu5AmcIGVyMwWRXtyTQmfmdJ6QYK/uXJUdE45YnD5qU+h0wW2PY9UhTwEqLqPH
XYFkyR3ioIuB3bx3SNeEdw4HfynrsszxqCtwEffOoS/99OMF/7K2LZS+gHPtMjTD
SmJFnr6U21/XQx1pVYsVLps+4tWcwGwWdvLabyydgoRvSLdVnEoWveNVzYjWrXO+
A5jWDIoTe3UJduh6qRlfvJalheNmhqAKOe5H9/LCBUn+gA==
-----END CERTIFICATE-----
1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca
i:/C=US/O=Caradas/OU=PIT/CN=pit-root
-----BEGIN CERTIFICATE-----
MIICnzCCAgigAwIBAgIJANhcG/IeHwt9MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT
CHBpdC1yb290MB4XDTE0MDMwNjA0NDYzN1oXDTI0MDMwMzA0NDYzN1owPjELMAkG
A1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsTA1BJVDEPMA0GA1UE
AxMGcGl0LWNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS8wkuFUF4kaai
aSL+R56Vakz1ulgoYFq/EoXJzLSw0AtaW81eHuChye87XgDGPXuAECobKR1po7jm
mv7N1mqolxdLttAo5KIrW9eON6+/+3S4tIkuKrq+6VLTyxS5tm7HtIk3VHgOauYq
ZAwdCxSFqIuFjsujhs+XXxvwBuo5swIDAQABo4GiMIGfMB0GA1UdDgQWBBSSeO/A
pvd/IYPohAgH1IdESNp/KDBwBgNVHSMEaTBngBTZN94fUNQRn4qO7sSjXtpWHdR7
iaFEpEIwQDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsT
A1BJVDERMA8GA1UEAxMIcGl0LXJvb3SCCQD5xUs3mIvpWzAMBgNVHRMEBTADAQH/
MA0GCSqGSIb3DQEBBQUAA4GBACtXB0vtl0+QUUvHGlo8gqCwjjhwDLpa2VRslaus
KGt84WlPiX0TH2Bqxm/zmPyBjNnuXWGHmQ4KgFmqa0SeF1AfP/Y3AWeEJA6Joej5
8nG0hr6CcObxrC+wAMRPDIlLHO+51QyjpNF9HC+k26bxUapZs2VW/2pcP67mtQHy
XiYQ
-----END CERTIFICATE-----
2 s:/C=US/O=Caradas/OU=PIT/CN=pit-root
i:/C=US/O=Caradas/OU=PIT/CN=pit-root
-----BEGIN CERTIFICATE-----
MIICoTCCAgqgAwIBAgIJAPnFSzeYi+lbMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV
BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT
CHBpdC1yb290MB4XDTE0MDMwNjA0MzUxMFoXDTI0MDMwMzA0MzUxMFowQDELMAkG
A1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsTA1BJVDERMA8GA1UE
AxMIcGl0LXJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKG7diarDQg1
7UjmvJasHFSjWhPdb9/9pXZvWAKuc9wqqjD3nvU6w+uJtYIFqN4vXC+jk7ek4VF7
jvkDF3R00fnHl6wOVufzQlFA7+QXpWTMGsb6yywhXMwVbcO8u14cGV/x+5VewkTg
rVRbqZlOXImellNvW1fsJ5HiSVfH8eylAgMBAAGjgaIwgZ8wHQYDVR0OBBYEFNk3
3h9Q1BGfio7uxKNe2lYd1HuJMHAGA1UdIwRpMGeAFNk33h9Q1BGfio7uxKNe2lYd
1HuJoUSkQjBAMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHQ2FyYWRhczEMMAoGA1UE
CxMDUElUMREwDwYDVQQDEwhwaXQtcm9vdIIJAPnFSzeYi+lbMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQEFBQADgYEAIeZZtXQqlBK04a2gimGko/aL2YWMRgh04yTK
+jw7OkJ/UWdA1g78UJk5/rTJ92579io5rsmLHXV+uWc6Wr6IFO4AfxiQv+GW/PMQ
8pu49o8ev9yTvYaos8XP4zdUO4RsXBw9rYRuSP4Ov2tOKKPomOJLabS58GAlCouk
774/xTE=
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See
www.
rapidssl.com/resources/cps (c)13/OU=Domain Control Validated -
RapidSSL(R)/CN=se
cure.payerspot.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
Acceptable client certificate CA names
/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
/C=US/O=Caradas/OU=PIT/CN=pit-ca
/C=US/O=Caradas/OU=PIT/CN=pit-root
---
SSL handshake has read 3311 bytes and written 649 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID:
4E1F306DC017FF34593693FA862184AC7CF38B976E36681DD7F5481DD2696044
Session-ID-ctx:
Master-Key:
2C469ED2095E5F9F66792C4CAB4339BAD630ADC6773A491F391533EFC99BBE47
D06FD73DC9ADB4E130B5A664350C3F3E
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - fc ca 8c 95 6c f5 1d 56-7f e3 13 cb 03 05 09 46
....l..V.......F
0010 - 81 b0 6b 94 6e bf af 64-4f 50 39 00 d3 f2 2e 5b
..k.n..dOP9....[
0020 - 6c 30 fc d4 da 70 ae 66-dc 60 7f 01 db 29 4b 78
l0...p.f.`...)Kx
0030 - fb b7 bb b6 bc be cc e9-db 77 cd b1 97 d1 16 01
.........w......
0040 - e7 fe f4 79 69 bb 9c 25-ce 2b 64 62 6f f7 cb 94
...yi..%.+dbo...
0050 - 45 fc 07 31 eb 9d e7 66-ef e1 c9 ea 82 0d 56 45
E..1...f......VE
0060 - f4 17 af e3 73 32 59 8e-fb 5d 30 4c 31 df bb d9
....s2Y..]0L1...
0070 - f8 1e 9b 12 04 a3 56 98-0b 72 99 83 ff d7 30 0f
......V..r....0.
0080 - 0e ec d5 d4 c2 0a 9a eb-07 9c e4 3e 9c 2d 72 18
...........>.-r.
0090 - 6b b6 d1 3f 42 3a 11 ae-4c d0 ff ce 34 9f 15 c3
k..?B:..L...4...
Start Time: 1402558752
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
--
View this message in context:
http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50877.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
