On 29/12/14 08:32, Jerry OELoo wrote: > Hi. > I am using X509_STORE_CTX_get1_chain() to construct certificate chain > base on local root ca store. Now it works fine. > > But when I access this website, https://www.sgetvous.societegenerale.fr/ > I get a very strange result. > > Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20] > Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27] > Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard > Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27] > > as above, CN points to *.talkspirit.com, what's this? > > But https://www.ssllabs.com/ssltest/analyze.html?d=www.sgetvous.societegenerale.fr > query result is same as browser shown, certificate is signed by > VeriSign. > > What's the problem, Thanks! > > You need to call SSL_set_tlsext_host_name. If I connect to the above server using: openssl s_client -connect www.sgetvous.societegenerale.fr:443 Then I get the above certificate. If however I connect using: openssl s_client -connect www.sgetvous.societegenerale.fr:443 -servername www.sgetvous.societegenerale.fr I get the correct one. The server is using SNI so needs to know the hostname you are trying to connect to in order to provide you with the correct certificate. Matt
