Hi, sorry for the first answer, I didn't read in details :-/ looking at your certificate chain, you are in fact trying to validate a certificate issued by RapidSSL using pit-ca
--- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secure.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- 1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca i:/C=US/O=Caradas/OU=PIT/CN=pit-root this at least explains why it fails... however, you didn't indicate how you set up the first chain, if there is any (looks like not here) My guess is you should just add all your certificates (CAs and Roots) using only X509_STORE_add_cert, since the verification function tries to recompose the chain by itself you can also create a single chain containing all your certificates (both CAs and Roots, in any order) once again the verification should be done transparently let me know if it works, or if you already tried ----- Mail d'origine ----- De: Hafedh TRIMECHE <hafedh.trime...@strong-data.com> À: openssl-users@openssl.org Envoyé: Thu, 12 Jun 2014 16:39:23 +0200 (CEST) Objet: Re: Re : Re: 2 Server certificates Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
