On Fri, Dec 01, 2006, Dan Ellis wrote:
> Dr. Stephen Henson wrote:
>
> >Does the client CA chain include an intermediate certificate which is not
> >
> >being sent: so the server can't build the chain to verify it?
> >
> >
> I've checked the actual exchange with Wireshark, and it shows that the
> client is sending the entire chain: client, CA 3, CA 2, root CA. The
> root CA is the same as the one I'm using in the server.
>
So how are you adding the root CA to the trusted store. The usual way is to
get the store with SSL_CTX_get_store() and add it with X509_STORE_add_cert().
If there is still a problem I suggest you dump the client certificate to one
file, the rest of the chain to another and do:
openssl verify -CAfile root.pem -untrusted chain.pem -purpose sslclient \
client.pem
and see what the result is.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
