Hi, One more question here: In case of a server application, it is expected to send the intermediate certificates to the client. And in this case, is this API -- SSL_CTX_load_verify_locations() sufficient to be used? Or is there a separate API to send the intermediate CA certificates across to the client? P.S. My previous query also is unanswered. It would be great if I get some responses to that also ;)
Regds, Ashok ---------- Forwarded message ---------- From: Ashok C <ash....@gmail.com> Date: Wed, Nov 23, 2011 at 12:55 PM Subject: Usage of CAPath/CAFile options in int SSL_CTX_load_verify_locations Reg. To: openssl-users@openssl.org Hi, We are implementing multi-layer support for our openssl-based PKI solution and had the following query: Currently our PKI solution supports only single layer CA support and we use SSL_CTX_load_verify_locations API with the CAFile option, meaning that the service loads the CA certificate from a PEM file. When testing multi-layer support between a client-server model with *SSL_VERIFY_PEER *set to true, we observed that using the CAFile(with all CA certificates- root + intermediate concatenated into a single PEM file) does not work anymore. But using CAPath option (storing each CA in separate file, creating hashes for them in a directory and providing that directory in CAPath) seems to work fine. Is this a known bug with openSSL or is it something that we are doing wrong.* * Also, from the openSSL community perspective, is it advisable to use CAFile option or CAPath option when providing multi-layer support? Regds, Ashok
