Thanks Jeffrey & Matt Now I have a more question, I do not want to make code use tlsv1 method and SSL_set_tlsext_host_name to query all website, I just want to when encounter this issue, then I will construct tlsv1 and set sni name to query certificate, So how can I get this kind of information, or what is correct coding process when support sni and non-sni webiste. Thanks! On Mon, Dec 29, 2014 at 5:20 PM, Matt Caswell <matt at openssl.org> wrote: > > > On 29/12/14 08:32, Jerry OELoo wrote: >> Hi. >> I am using X509_STORE_CTX_get1_chain() to construct certificate chain >> base on local root ca store. Now it works fine. >> >> But when I access this website, https://www.sgetvous.societegenerale.fr/ >> I get a very strange result. >> >> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[20] >> Peer cert subject[/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA] depth[1] error[27] >> Peer cert subject[/OU=Domain Control Validated/OU=Gandi Standard >> Wildcard SSL/CN=*.talkspirit.com] depth[0] error[27] >> >> as above, CN points to *.talkspirit.com, what's this? >> >> But https://www.ssllabs.com/ssltest/analyze.html?d=www.sgetvous.societegenerale.fr >> query result is same as browser shown, certificate is signed by >> VeriSign. >> >> What's the problem, Thanks! >> >> > You need to call SSL_set_tlsext_host_name. If I connect to the above > server using: > openssl s_client -connect www.sgetvous.societegenerale.fr:443 > > Then I get the above certificate. If however I connect using: > openssl s_client -connect www.sgetvous.societegenerale.fr:443 > -servername www.sgetvous.societegenerale.fr > > I get the correct one. The server is using SNI so needs to know the > hostname you are trying to connect to in order to provide you with the > correct certificate. > > Matt > _______________________________________________ > openssl-users mailing list > openssl-users at openssl.org > https://mta.opensslfoundation.net/mailman/listinfo/openssl-users -- Rejoice,I Desire!
