On Mon, Nov 16, 2015 at 01:10:19AM -0500, Viktor Dukhovni wrote: > > You should probably explain what you're doing, and in what way OpenSSL 1.0.2 > > (all upstream versions) is not working the way you expect. On Mon, Nov 16, 2015 at 12:22:48PM +0530, Jayalakshmi bhat wrote: > Our device acts as TLS/SSL client. The device receives chain of > certificates as part of SSL handshake, when it is trying to get connected > to TLS/SSL server like sharepoint 365. This is not a plausibly detailed explanation of how you're using OpenSSL in your device. > While validating the certificate chain from server, "*check_trust" *fails > with X509_V_ERR_CERT_UNTRUSTED. OpenSSL 1.0.2 is broadly used, with no similar problem reports. You're probably doing something atypical, and need to explain in technical detail how you're configuring certificate verification. > This had been working fine with OpenSSL 1.0.1c. You can download http://openssl.org/source/old/1.0.2/openssl-1.0.2c.tar.gz for yourself and check that the code you claim to make the difference is simply not there. If 1.0.2c is working and 1.0.2d is not, either you're using a modified 1.0.2c (seek support from whoever made the changes) or the problem lies elsewhere. > When I checked the code execution, check_trust was not being called in > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. This is simply irrelevant, the change in question predates the 1.0.2 base version. > That is why I wanted to know is it mandatory for the applications to > set X509_VERIFY_PARAM in X509_STORE_CTX The question has a false premise and so makes no sense. Rather you need to forget about (param->trust) and focus on why your application is failing to verify the peer certificate. -- Viktor.
