Sorry for the long delay. I moved and had some holydays afterwards. So I have
been away from work for some time.
Am Mittwoch, 8. August 2012, 00:44:20 schrieben Sie:
> > From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke
> > Sent: Tuesday, 07 August, 2012 08:02
> >
> > I'm using the attached code to connect to a server. This
> > works perfectly until
> > I had to excange the certificate which now needs two
> > additional intermediate
> > certs. All certs are merged within one file. The code can
> > handle certificate
> > chains as it is able to connect to another server with the
> > same certificate.
>
> The EE cert and intermediate certs *and* privatekey, since
> otherwise you would have gotten errors you don't report.
Yes, of course. I didn't mentioned them but all certs and keys are included
except for the root-certificate.
> > I tried to connect the server with my new certificate using
> > openssl and it
> > works fine:
> >
> > openssl s_client -connect the.server.net:700 -cert myCert.pem
> > -CApath mycapath
>
> s_client calls use_certificate, not use_certificate_chain,
Okay, this explains the different behaviour.
> to fill out the (client) chain. If not, apparently your servers
> don't need you to send the full chain; it's entirely possible a
> server has intermediate certs in its truststore and uses them.
Well, I have to send the full chain as the server obviously does not have any
intermediate certs in its truststore. Moreover I could fix the problem by
adding the root-certificate to the chain. I expected the root-cert to be
present on the server-side since the server sends a list of accepted CAs. It
doesn't make sense to me though anyway it fixes the problem.
Thanks a lot
- Alexandra
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
