Hello Everyone, I have a chain of version 1 certificates. "Root CA" signs "Intermediate CA", which signs "client1" and "server1" certificates. I also have two example client/server pairs. The first example only does server authentication. The other example does both client and server authentication. The server authentication example works just fine, but the client/server authentication fails when trying to verify the server1 certificate chain. Here's the actual example (this is the client with the info callback tracking the progress) before/connect initialization before/connect initialization SSLv2/v3 write client hello A SSLv3 read server hello A SSLv3 read server certificate B SSLv3 read server certificate B SSLv3 read server certificate B Here is the error stack. 1068:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:.\ssl\s3_clnt.c:764: As stated before, this same certificate chain gets verified just fine when doing server authentication only. I have debugged into the library and know the following additional information: - In x509_vrfy.c:check_chain_purpose(), in the server auth. only example, ctx->last_trusted is set to 1, while for my client and server authentication example, it is set to 2. The function is dying on my intermediate certificate. if last_trusted == 1. it just checks the validity of the server certificate, but when last_trusted==2, it assumes that my intermediate certificate is also untrusted, this causes X509_check_purpose() to return 1 which then sets ctx->error to X509_V_ERR_INVALID_CA. Also, I do use load_verify_locations to load a trusted certificates file which contains both the root and intermediate CA certificates. Any help would greatly appreciated. Thanks, Mike Zeoli ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
