Sorry for the long delay. I moved and had some holydays afterwards. So I have been away from work for some time.
Am Mittwoch, 8. August 2012, 00:44:20 schrieben Sie: > > From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke > > Sent: Tuesday, 07 August, 2012 08:02 > > > > I'm using the attached code to connect to a server. This > > works perfectly until > > I had to excange the certificate which now needs two > > additional intermediate > > certs. All certs are merged within one file. The code can > > handle certificate > > chains as it is able to connect to another server with the > > same certificate. > > The EE cert and intermediate certs *and* privatekey, since > otherwise you would have gotten errors you don't report. Yes, of course. I didn't mentioned them but all certs and keys are included except for the root-certificate. > > I tried to connect the server with my new certificate using > > openssl and it > > works fine: > > > > openssl s_client -connect the.server.net:700 -cert myCert.pem > > -CApath mycapath > > s_client calls use_certificate, not use_certificate_chain, Okay, this explains the different behaviour. > to fill out the (client) chain. If not, apparently your servers > don't need you to send the full chain; it's entirely possible a > server has intermediate certs in its truststore and uses them. Well, I have to send the full chain as the server obviously does not have any intermediate certs in its truststore. Moreover I could fix the problem by adding the root-certificate to the chain. I expected the root-cert to be present on the server-side since the server sends a list of accepted CAs. It doesn't make sense to me though anyway it fixes the problem. Thanks a lot - Alexandra ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org