Hi Matt, Thank you for the response. I have attached the certificates details. My apology I am not supposed to share the certificates. We are not using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with the device. 1. Root CA- Baltimore CyberTrust Root 2. Intermediate CA-1 - Microsoft Internet Authority 3. Intermediate CA-2 - Microsoft IT SSL SHA2 4. ID certificate - *.sharepoint.com Intermediate CAs are issued by the above Root CA. Issue is seen when all 4 certificates are installed. Error happens with the intermediate CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not install intermediate CA-2 things works fine. Any help is well appreciated. Regards Jayalakshmi On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <matt at openssl.org> wrote: > > > On 16/11/15 06:52, Jayalakshmi bhat wrote: > > Hi Victor, > > > > Thanks a lot for details explanation. > > > > Our device acts as TLS/SSL client. The device receives chain of > > certificates as part of SSL handshake, when it is trying to get > > connected to TLS/SSL server like sharepoint 365. > > > > While validating the certificate chain from server, "*check_trust" > > *fails with X509_V_ERR_CERT_UNTRUSTED. > > > > This had been working fine with OpenSSL 1.0.1c. > > > > When I checked the code execution, check_trust was not being called in > > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. > > > > That is why I wanted to know is it mandatory for the applications to > > set X509_VERIFY_PARAM in X509_STORE_CTX > > > Are you able to share the certificates that the server provides you > with? Also the root certificate you are using. > > It is not mandatory to set X509_VERIFY_PARAMs (but typically you at > least want to verify the hostname through a call to > "X509_VERIFY_PARAM_set1_host"). Are you currently do anything like this? > > Matt > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151116/0ea6e0a4/attachment.html> -------------- next part -------------- ID CERTIFICATE Version 3 Serial Number 4F 5D 8E A9 00 01 00 00 D8 6F Signature Algorithm sha1RSA Issuer DC=com DC=microsoft DC=corp DC=redmond CN=MSIT Machine Auth CA 2 Valid From 4/14/2014 10:01:07 PM UTC Valid To 4/13/2016 10:01:07 PM UTC Subject C=US S=WA L=Redmond O=Microsoft CN=*.sharepoint.com Public Key Public Key Algorithm RSA Public Key Length 2048 bits Exponent 65537 (10001) Extensions Authority Key Identifier KeyID=EB DB 11 5E F8 09 9E D8 D6 62 9C FD 62 9D E3 84 4A 28 E1 27 Subject Key Identifier F5 D0 5C 03 01 C3 D9 31 56 24 3F BF 26 4F 04 A7 D8 3C B3 CE Basic Constraints Key Usage Data Encipherment (b0), Digital Signature, Key Encipherment (a0) Extended Key Usage Client Authentication, Server Authentication Additional Extensions Subject Alternative Name, CRL Distribution Points Subject Alternative Name *.sharepoint.com *.sharepoint.apac.microsoftonline.com *.sharepoint.emea.microsoftonline.com *.sharepoint.microsoftonline.com Thumbprint 3D A0 FF 58 AF 96 A0 BE 01 BB 7E 05 65 7C D7 89 27 F9 52 98 INTERMEDIATE CA-1 Version 3 Serial Number 07 27 6F AE Signature Algorithm sha1RSA Issuer C=IE O=Baltimore OU=CyberTrust CN=Baltimore CyberTrust Root Valid From 4/25/2012 5:41:36 PM UTC Valid To 4/25/2020 5:40:55 PM UTC Subject CN=Microsoft Internet Authority Public Key Public Key Algorithm RSA Public Key Length 4096 bits Exponent 65537 (10001) Extensions Authority Key Identifier KeyID=E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A B5 04 4D F0 Subject Key Identifier 2A 4D 97 95 5D 34 7E 9D B6 E6 33 BE 9C 27 C1 70 7E 67 DB C1 Basic Constraints critical CA: True Key Usage Certificate Signing, CRL Signing (86), Digital Signature, Off-line CRL Signing Extended Key Usage Additional Extensions Certificate Policies, CRL Distribution Points Subject Alternative Name Thumbprint 99 2A D4 4D 7D CE 29 8D E1 7E 6F 2F 56 A7 B9 CA A4 1D B9 3F INTERMEDIATE CA-2 Version 3 Serial Number 07 27 9A A9 Signature Algorithm sha256RSA Issuer C=IE O=Baltimore OU=CyberTrust CN=Baltimore CyberTrust Root Valid From 12/19/2013 8:07:32 PM UTC Valid To 12/19/2017 8:06:55 PM UTC Subject C=US S=Washington L=Redmond O=Microsoft Corporation OU=Microsoft IT CN=Microsoft IT SSL SHA2 Public Key Public Key Algorithm RSA Public Key Length 4096 bits Exponent 65537 (10001) Extensions Authority Key Identifier KeyID=E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A B5 04 4D F0 Subject Key Identifier 51 AF 24 26 9C F4 68 22 57 80 26 2B 3B 46 62 15 7B 1E CC A5 Basic Constraints critical CA: True Key Usage Certificate Signing, CRL Signing (86), Digital Signature, Off-line CRL Signing Extended Key Usage Client Authentication, Server Authentication Additional Extensions Certificate Policies, CRL Distribution Points Subject Alternative Name Thumbprint 94 8E 16 52 58 62 40 D4 53 28 7A B6 9C AE B8 F2 F4 F0 21 17 ROOT CA Version 3 Serial Number 02 00 00 B9 Signature Algorithm sha1RSA Issuer C=IE O=Baltimore OU=CyberTrust CN=Baltimore CyberTrust Root Valid From 5/12/2000 6:46:00 PM UTC Valid To 5/12/2025 11:59:00 PM UTC Subject C=IE O=Baltimore OU=CyberTrust CN=Baltimore CyberTrust Root Public Key Public Key Algorithm RSA Public Key Length 2048 bits Exponent 65537 (10001) Extensions Authority Key Identifier Subject Key Identifier E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A B5 04 4D F0 Basic Constraints critical CA: True Key Usage Certificate Signing, Off-line CRL Signing Extended Key Usage Additional Extensions Subject Alternative Name Thumbprint D4 DE 20 D0 5E 66 FC 53 FE 1A 50 88 2C 78 DB 28 52 CA E4 74
