On 16/11/15 06:52, Jayalakshmi bhat wrote: > Hi Victor, > > Thanks a lot for details explanation. > > Our device acts as TLS/SSL client. The device receives chain of > certificates as part of SSL handshake, when it is trying to get > connected to TLS/SSL server like sharepoint 365. > > While validating the certificate chain from server, "*check_trust" > *fails with X509_V_ERR_CERT_UNTRUSTED. > > This had been working fine with OpenSSL 1.0.1c. > > When I checked the code execution, check_trust was not being called in > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. > > That is why I wanted to know is it mandatory for the applications to > set X509_VERIFY_PARAM in X509_STORE_CTX Are you able to share the certificates that the server provides you with? Also the root certificate you are using. It is not mandatory to set X509_VERIFY_PARAMs (but typically you at least want to verify the hostname through a call to "X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this? Matt
