Hello,

I getting crazy !
In one application I insert CA certificates and CRLs in the X509_STORE. This store is included in the SSL_CTX. No problem. The certificate verification process during handshake runs like a charm.

In a second application, I create an X509_STORE and try to insert my CA certificates and CRL lists and right at the FIRST insertion of a CA I get : error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table

It is not possible : the store is empty !

I tried even to create a dummy SSL_CTX and use its store like I do in the other application (I imagined that the SSL_CTX creation may be made some initialisation in the store...) : same result. i.e. : the same code runs smoothly in one application and not in the second one !

I compared the compilation environment (command parameters, includes) and didn't find any significant difference, except that the second application is compiled with the option "-D_FILE_OFFSET_BITS=64". Could it be the cause of my misery ???

Hereafter is the code :


#include <openssl/ssl.h>

   if ( (G_store = X509_STORE_new()) == NULL){
trace_s(O_UTL, 0, LV_ERR, "Erreur à l'allocation du X509_STORE pour CAs et CRLs.");
       return(-1);
   }
   CA = Gl_listeCA;
   while (CA != NULL){
       if (!(err = X509_STORE_add_cert(G_store, CA->x509))) {
trace_si(O_UTL, 0, LV_ERR, "Erreur à l'insertion d'un certificat dans le STORE.CA N° :", CA->num); X509_NAME_oneline(X509_get_subject_name(CA->x509), bid, sizeof(bid)-1);
           trace_ss(O_UTL, 0, LV_ERR, "        Sujet      :", bid);
X509_NAME_oneline(X509_get_issuer_name(CA->x509), bid, sizeof(bid)-1);
           trace_ss(O_UTL, 0, LV_ERR, "        Sujet      :", bid);
           trace_si(O_UTL, 0, LV_ERR, "Erreur :", err);
           err = ERR_get_error();
           trace_ss(O_UTL, 0, LV_ERR, "    ", ERR_error_string(err, NULL));
           flush_trace();
        }
    }

The "CA" is a structure containing the certificate in 2 formats : DER and the internal X509 structure and some other informations. Gl_listeCA is a global chained list of these structures. It's the same architecture in the running application. The X509 looks correct : the subject and the issuer are extracted without any problem in order to print details on the error.

Compilation parameters :
gcc -c -g -ggdb -D_FILE_OFFSET_BITS=64 -Wno-comment -Wno-unused -ansi -D_BSD_SOURCE -D_XOPEN_SOURCE -Dunix

Both applications are linked with libcrypto and libssl 0.9.8

Thanks in advance for any clue !

--
Francis GASCHET / NUMLOG
http://www.numlog.fr
Tel.: +33 (0) 130 791 616
Fax.: +33 (0) 130 819 286


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to