Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com.
I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: ----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Cetificate chain2 (issued by CA2) 0 s: i: ----BEGIN CERTIFICATE----- -----END CERTIFICATE----- Regards. ----- Original Message ----- From: nicolas....@free.fr To: openssl-users@openssl.org Date: Fri, 13 Jun 2014 02:02:51 +0200 (CEST) Subject: Re : Re: Re : Re: 2 Server certificates > Hi, > > sorry for the first answer, I didn't read in details :-/ > looking at your certificate chain, you are in fact trying to validate a > certificate issued by RapidSSL using pit-ca > > --- > Certificate chain > 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See > www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - > RapidSSL(R)/CN=secure.payerspot.com > i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA > -----BEGIN CERTIFICATE----- > ... > -----END CERTIFICATE----- > 1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca > i:/C=US/O=Caradas/OU=PIT/CN=pit-root > > > this at least explains why it fails... > however, you didn't indicate how you set up the first chain, if there is any > (looks like not here) > > My guess is you should just add all your certificates (CAs and Roots) using > only X509_STORE_add_cert, since the verification function tries to recompose > the chain by itself > > you can also create a single chain containing all your certificates (both CAs > and Roots, in any order) > once again the verification should be done transparently > > > let me know if it works, or if you already tried > > > ----- Mail d'origine ----- > De: Hafedh TRIMECHE <hafedh.trime...@strong-data.com> > À: openssl-users@openssl.org > Envoyé: Thu, 12 Jun 2014 16:39:23 +0200 (CEST) > Objet: Re: Re : Re: 2 Server certificates > > Hi Nico, > > As described in OpenSSL documentation the 2 functions are equivalent: > > SSL_set_client_CA_list() sets the list of CAs sent to the client when > requesting a client certificate for the chosen ssl, overriding the setting > valid for ssl's SSL_CTX object. > > SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of > CAs sent to the client when requesting a client certificate for ctx. > > The problem may be solved by sending two certificates to the client and it > will check which one to verify regarding the CA issued the server certificate. > > SSL_CTX_load_verify_locations can't help because the certificates are stored > in blob not in files. > > Regards > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
