Hi,

One more question here:
In case of a server application, it is expected to send the intermediate
certificates to the client. And in this case, is this API --
SSL_CTX_load_verify_locations() sufficient to be used? Or is there a
separate API to send the intermediate CA certificates across to the client?
P.S. My previous query also is unanswered. It would be great if I get some
responses to that also ;)

Regds,
Ashok

---------- Forwarded message ----------
From: Ashok C <ash....@gmail.com>
Date: Wed, Nov 23, 2011 at 12:55 PM
Subject: Usage of CAPath/CAFile options in int
SSL_CTX_load_verify_locations Reg.
To: openssl-users@openssl.org


Hi,

We are implementing multi-layer support for our openssl-based PKI solution
and had the following query:

Currently our PKI solution supports only single layer CA support and we use
SSL_CTX_load_verify_locations API with the CAFile option, meaning that the
service loads the CA certificate from a PEM file.
When testing multi-layer support between a client-server model with
*SSL_VERIFY_PEER
*set to true, we observed that using the CAFile(with all CA certificates-
root + intermediate concatenated into a single PEM file) does not work
anymore. But using CAPath option (storing each CA in separate file,
creating hashes for them in a directory and providing that directory in
CAPath) seems to work fine. Is this a known bug with openSSL or is it
something that we are doing wrong.*
*
Also, from the openSSL community perspective, is it advisable to use CAFile
option or CAPath option when providing multi-layer support?



Regds,
Ashok

Reply via email to