Thanks Victor.

Could you explain the reason in below cases? These are in cases when we use
both the APIs as mentioned above.

cert_file : Server's certifcate
chain_file: Complete certificate chain; starting with Server's certifcate,
followed by intermediate CA certificate and ending with Root CA certificate


Scenario 1 - Failing case

SSL_CTX_use_certificate_file() : Loaded cert_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file

Test: When tried to connect to the server, only Server's certificate and
Root CA certificate were presented in the CERTIFICATE message of the
handshake; intermediate CA certificates were missing.

Scenario 2 - Successful case

SSL_CTX_use_certificate_file() : Loaded chain_file
SSL_CTX_use_certificate_chain_file() : Loaded chain_file

Test: When tried to connect to the server, complete certificate chain was
presented in the CERTIFICATE message of the handshake.







On Wed, Jul 27, 2016 at 10:08 PM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:

> On Wed, Jul 27, 2016 at 09:28:55PM +0530, john gloster wrote:
>
> > Can we use both the following APIs in the same application to load
> > certificate to the SSL context?
> >
> > *SSL_CTX_use_certificate_file()*
> > *SSL_CTX_use_certificate_chain_file()*
>
> For any given certificate chain use either one or the other, but
> in many cases SSL_CTX_use_certificate_chain_file() is the more
> convenient choice.
>
> > If we can how to use them?
>
>     ERR_clear_error();
>     if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
>         /* Handle error */
>     }
>     if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0)
> {
>         /* Handle error */
>     }
>     if (!SSL_CTX_check_private_key(ctx)) {
>         /* Handle error */
>     }
>     /* Success */
>
> See the SSL_CTX_use_certificate(3) manpage for a more detailed
> description.
>
> --
>         Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to