At most one of CA-1 and CA-2 would be part of the chain from Baltimore
to the end cert.
However your end cert (apparently for hosted Sharepoint services) was
issued by a 3rd MSIT CA that was not provided. If it wasn't provided to
the code either, the chain would not validate for that reason alone.
I also note that none of the certs in the chain contain any Authority
Information Access (AIA) extension (issuer certificate download URL and
OCSP URL) only a CRL URL extension, which wouldn't be normal MS practice
(Certificate revocation cannot be detected by some browsers that use
only OCSP and the automatic certificate download done by some Microsoft
Windows Security Support Providers (such as CredSSP) won't work).
Oh and you are not posting from an official Microsoft e-mail address either.
Something seems very odd here.
On 16/11/2015 17:48, Jayalakshmi bhat wrote:
Hi Matt,
Thank you for the response. I have attached the certificates details.
My apology I am not supposed to share the certificates. We are not
using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with
the device.
1. Root CA- Baltimore CyberTrust Root
2. Intermediate CA-1 - Microsoft Internet Authority
3. Intermediate CA-2 - Microsoft IT SSL SHA2
4. ID certificate - *.sharepoint.com <http://sharepoint.com/>
Intermediate CAs are issued by the above Root CA. Issue is seen when
all 4 certificates are installed. Error happens with the intermediate
CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not
install intermediate CA-2 things works fine.
Any help is well appreciated.
Regards
Jayalakshmi
On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <m...@openssl.org
<mailto:m...@openssl.org>> wrote:
On 16/11/15 06:52, Jayalakshmi bhat wrote:
> Hi Victor,
>
> Thanks a lot for details explanation.
>
> Our device acts as TLS/SSL client. The device receives chain of
> certificates as part of SSL handshake, when it is trying to get
> connected to TLS/SSL server like sharepoint 365.
>
> While validating the certificate chain from server, "*check_trust"
> *fails with X509_V_ERR_CERT_UNTRUSTED.
>
> This had been working fine with OpenSSL 1.0.1c.
>
> When I checked the code execution, check_trust was not being
called in
> OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied.
>
> That is why I wanted to know is it mandatory for the applications to
> set X509_VERIFY_PARAM in X509_STORE_CTX
Are you able to share the certificates that the server provides you
with? Also the root certificate you are using.
It is not mandatory to set X509_VERIFY_PARAMs (but typically you at
least want to verify the hostname through a call to
"X509_VERIFY_PARAM_set1_host"). Are you currently do anything like
this?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
