Good day,
I'm using the attached code to connect to a server. This works perfectly until
I had to excange the certificate which now needs two additional intermediate
certs. All certs are merged within one file. The code can handle certificate
chains as it is able to connect to another server with the same certificate.
I tried to connect the server with my new certificate using openssl and it
works fine:
openssl s_client -connect the.server.net:700 -cert myCert.pem -CApath mycapath
Summary:
a.) myCode + myCert -- can connect to ----> server A
b.) myCode + myCert -- can't connect to --> server B
c.) openssl s_client + myCert -- can connect to ----> server A
d.) openssl s_client + myCert -- can connect to ----> server B
For b.) I found the following error:
3071740832:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1053:SSL alert number 42
----- <code> -----
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_load_verify_locations(ctx, NULL, "mycapath");
SSL_CTX_set_verify_depth(ctx, 5);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_use_RSAPrivateKey_file(ctx, "myCert.pem",
SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(ctx, "myCert.pem");
ssl = SSL_new(ctx);
SSL_CTX_free(ctx);
SSL_set_fd(ssl, socket);
SSL_set_connect_state(ssl);
if((t = SSL_connect(tv->ssl)) > 0)
{
syslog(LOG_DEBUG, "SSL-connection successful.\n");
return(1);
}
ERR_print_errors_fp(stderr);
----- </code> -----
To keep it readable I've removed the error-checking code. All pathes (myCert,
mycapath) are valid and accessible.
So, any idea why this doesn't work would be greatly appreciated.
- Alexandra
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
