Thanks Victor.
Could you explain the reason in below cases? These are in cases when we use
both the APIs as mentioned above.
cert_file : Server's certifcate
chain_file: Complete certificate chain; starting with Server's certifcate,
followed by intermediate CA certificate and ending with Root CA certificate
Scenario 1 - Failing case
SSL_CTX_use_certificate_file() : Loaded cert_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file
Test: When tried to connect to the server, only Server's certificate and
Root CA certificate were presented in the CERTIFICATE message of the
handshake; intermediate CA certificates were missing.
Scenario 2 - Successful case
SSL_CTX_use_certificate_file() : Loaded chain_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file
Test: When tried to connect to the server, complete certificate chain was
presented in the CERTIFICATE message of the handshake.
On Wed, Jul 27, 2016 at 10:08 PM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:
> On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote:
>
> > Can we use both the following APIs in the same application to load
> > certificate to the SSL context?
> >
> > *SSL_CTX_use_certificate_file()*
> > *SSL_CTX_use_certificate_chain_file()*
>
> For any given certificate chain use either one or the other, but
> in many cases SSL_CTX_use_certificate_chain_file() is the more
> convenient choice.
>
> > If we can how to use them?
>
> ERR_clear_error();
> if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
> /* Handle error */
> }
> if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
> {
> /* Handle error */
> }
> if (!SSL_CTX_check_private_key(ctx)) {
> /* Handle error */
> }
> /* Success */
>
> See the SSL_CTX_use_certificate(3) manpage for a more detailed
> description.
>
> --
> Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
