> From: owner-openssl-us...@openssl.org On Behalf Of David Coulson
> Sent: Wednesday, 30 March, 2011 10:24

> On 3/30/11 8:33 AM, Crypto Sal wrote:
> > David:
> >
> > Firefox caches that information, so that it can use them 
> later if you 
> > view a similar certificate hierarchy.
> >
> > If you view the Firefox Certificate Manager you should see 
> "Software 
> > Security Device" vs. that of "Built in Object" next to each of the 
> > certificates in question outside of the Entrust Root CA, 
> which should 
> > say 'Built In...'.

> Understood - Is there a way to mimic this functionality with 
> OpenSSL via 
> CAfile or CApath? So far not having much luck doing that. I 
> pretty much 
> want to put the root & intermediate CA files somewhere and have my 
> s_client test utilize those for chaining, rather than what the web 
> server sends over.
> 
As the manpage says. For s_client: 
-CAfile with one PEM file containing all needed certs, or 
-CApath with a directory containing each cert in its own PEM file 
linked as, or directly named, a hash of the (canonical) subject.
On Unix opensslinstall/bin/c_rehash should do this for you; 
on Windows I don't have any easy way and just prefer -CAfile.

For your own app, call SSL_[CTX_]load_verify_locations 
with the same argument values (derived however you like).

But one thing that isn't stressed: openssl insists on 
verifying up to a root always. Even if an intermediate cert 
is in the truststore that isn't enough to verify the chain.

And I don't think openssl will use the store to *override* 
what the server sends. It will *add* *missing* ones.
Normally this shouldn't matter, because a given cert must 
always be the same; if altered, it's no longer valid.
But when I looked briefly before at the s_client output 
and site you posted, there appeared to be two *different* certs 
for "Digicert High Assurance EV Root CA" -- same pubkey and SKID, 
but different validity and issuer/serial (at least). 
I'm not sure why, but look carefully at what/which you get.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to