Hi, I am using OpenSSL for a SSL server and "openssl s_client" to test it with client auth required. Self-sigend root cert is used for creating client certs, and the self-signed root cert is added to SSL server's trusted ca file.
It works fine when client cert has no chain, but if the client cert is created by an intermediate ca which is signed by previous root ca, the SSL server failed with unknown ca. >From the debug trace, looks like s_client sent the whole chain (the client cert file contains the private key and the whole chain in PEM format). I've thought that OpenSSL will automatically build the chain based on what sent from client, and since the root ca is trusted, and it should work. Am I wrong? Do I need get the client's cert chain and set to the SSL CTX for validation? BTW, here are the functions used: SSL_CTX_new(SSLv23_method()); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) SSL_CTX_use_certificate_chain_file(ctx, cert_fname) SSL_CTX_use_PrivateKey_file(ctx, cert_fname, SSL_FILETYPE_PEM) STACK_OF(X509_NAME) *ca_certs = SSL_load_client_CA_file((char*)ca_fname); SSL_CTX_set_client_CA_list(ctx, ca_certs); SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_set_verify_depth(ctx, _verify_depth); Thank you very much! Mary
