2011/10/9 Lucas Clemente Vella <lve...@gmail.com>: > First of all, I am not a direct user of the OpenSSL library, but I am > using it via Python 2.7 built-in module ssl, which in turn uses > OpenSSL. Since my problem is SSL specific, I thought people here would > be more apt to help me.
Now I wrote the C code using directly OpenSSL, and I get the same problem: #include <stdio.h> #include <openssl/bio.h> #include <openssl/ssl.h> #include <openssl/err.h> int main() { long ret; BIO * bio; SSL_CTX * ctx; SSL * ssl; X509 * cert; SSL_library_init(); SSL_load_error_strings(); ERR_load_BIO_strings(); ctx = SSL_CTX_new(TLSv1_client_method()); SSL_CTX_load_verify_locations(ctx, "DigiCertHighAssuranceEVRootCA.crt", NULL); bio = BIO_new_ssl_connect(ctx); BIO_get_ssl(bio, &ssl); SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); BIO_set_conn_hostname(bio, "graph.facebook.com:443"); BIO_do_connect(bio); cert = SSL_get_peer_certificate(ssl); ret = SSL_get_verify_result(ssl); printf("Cert: %s\nRet %ld\n", cert->name, ret); X509_free(cert); BIO_free_all(bio); SSL_CTX_free(ctx); } By running it, I get: $ ssl_test Cert: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com Ret 20 which Ret 20 means, according to 'man verify', 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY where I would expect: 0 X509_V_OK Then I found this directory in my system, "/etc/ssl/certs", containing my installed CA roots, which I provided to OpenSSL, instead of the certificate file: SSL_CTX_load_verify_locations(ctx, NULL, "/etc/ssl/certs"); By running again, I get "Ret 0", meaning X509_V_OK and the host was verified. It seems to me that there is one certificate installed in /etc/ssl/certs, which is different from the on I was providing, that is being used to verify the host. If it is so, how can I know what certificate is being used? And why Firefox and Chrome both use the former certificate I provided, while OpenSSL is unable to use it for the same host? -- Lucas Clemente Vella lve...@gmail.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org