In the past, I was not using Intermediate certificate and the code below
works with no problem.
/* Load the CAs we trust*/
if(!(SSL_CTX_load_verify_locations(ctx, *NULL*, CA_PATH)))
berr_exit("Couldn't read CA list/path");
SSL_CTX_set_verify_depth(ctx,*1*);
Now that I have a chain of inte
Please note that s_client is used for debugging connections not certs
and might connect EVEN IF the server certificate is not good.
http://www.openssl.org/docs/apps/s_client.html#item__verify
"Currently the verify operation continues after errors so all the
problems with a certificate chain can be
In your s_client command, you still need to include the -CAfile parameter
and point it to just the self-signed Root certificate. Your server is
sending the intermediates but the client is not able to verify the chain up
to a Root.
You may want to edit cacerts.pem to include only the Root certifica
That is what I have when I don't include the intermediate in the command:
openssl s_client -connect 10.10.10.10:443 -verify 5 -state -showcerts
verify depth is 5
CONNECTED(0003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server he
Jorge,
On the server, you can copy all the public certs i.e. the intermediates and
the root into one PEM file. That will send everything down to the client.
Best,
Somesh
On Tuesday, May 21, 2013, Jorge Ventura wrote:
> I have an application (server) that is working using SSLv23 with a
> regular
On 21 May 2013, at 5:37 PM, Jorge Ventura wrote:
> Somech,
> The server side is using one .pem file like this:
>
>
>
>
>
>
> The was signed by one root CA available at client
> side and the two intermediate was supplied by the same root authority.
> I think that I didn't forgot that.
It
Somech,
The server side is using one .pem file like this:
The was signed by one root CA available at client
side and the two intermediate was supplied by the same root authority.
I think that I didn't forgot that.
On Tue, May 21, 2013 at 7:29 PM, Somesh Chakrabarti
wrote:
> Jorge,
>
>
On 21 May 2013, at 5:02 PM, Jorge Ventura wrote:
> Because the client trust the connection when I inform the
> intermediate, I suppose the server is not sending the intermediate,
> only the first certificate in the chain and in this case the command
> fail.
That is a reasonable conclusion. You ca
I have an application (server) that is working using SSLv23 with a
regular certificate. Now I have to use one chain of two intermediate
certificates but for any reason, openssl library is not sending the
chain and the only way to work correctly is when I inform to the
client side about the intermed
