I am using 1.0.2 stable release and add below code but it still get Equifax but browser get GeoTrust Global CA X509_VERIFY_PARAM *param; param = X509_VERIFY_PARAM_new(); X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST); SSL_CTX_set1_param(ctx, param); X509_VERIFY_PARAM_free(param); On Mon, Nov 17, 2014 at 3:43 PM, Viktor Dukhovni <openssl-users at dukhovni.org> wrote: > On Mon, Nov 17, 2014 at 03:13:22PM +0800, Jerry OELoo wrote: > >> When I construct google's (www.google.com) certificate chain, it is >> different with browser's >> >> [openssl API] >> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA >> -> Equifax Secure Certificate Authority > > This is what Google sends on the wire. > >> [IE/Chrome] >> www.google.com -> Google Internet Authority G2 -> GeoTrust Global CA > > The browsers short-cicuit the chain, by finding an alternative trusted > issuer for "G2" > >> It seems openssl use one certificate path with "bridge cert" but >> browsers use another certificate path, and in answer, it said >> "OpenSSL, which curl uses, is not, or at least not yet; thus you must >> tell curl to give OpenSSL the Equifax root. (The OpenSSL 1.0.2 >> release, currently in beta, is announced to have enhancements in the >> area of cert chain validation, which I haven't looked at in detail >> yet.", > > Commit 9d2006d8 (1.0.2 branch) implements a new X509_V_FLAG_TRUSTED_FIRST > flag which should give similar (to the browsers) results if set in > the X509_STORE_CTX used to validate the chain via: > > X509_VERIFY_PARAM_set_flags() > > and > > SSL_CTX_set1_param() > > see apps/apps.c and apps/s_client.c > >> So is there any way that openssl 1.0.1j can solve this and construct >> same certificate path with browsers did? > > No, but it is far from clear why "this" is a problem. Google sends > a chain signed by Equifax. So OpenSSL builds a chain with that. > When Google stops sending the Equifax cert, OpenSSL will use the > GeoTrust root CA if that's configured. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users at openssl.org > Automated List Manager majordomo at openssl.org -- Rejoice,I Desire!