Probably not, that constraint is satisfied since this is SSL/TLS and the end cert has that same EKU. On 16/11/2015 22:37, E T wrote: > Could it be because your CA-2 has the following: Extended Key Usage > - Client Authentication, Server Authentication? > > Some fields that in general only apply to end certificates, e.g. name > constraints, when used in a CA certificate, are interpreted as > constraints on the certificates that can be issued by that CA. > > > On Nov 16, 2015, at 11:48 AM, Jayalakshmi bhat > <bhat.jayalakshmi at gmail.com <mailto:bhat.jayalakshmi at gmail.com>> wrote: > > Hi Matt, > > Thank you for the response. I have attached the certificates details. > My apology I am not supposed to share the certificates. We are not > using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with > the device. > > 1. Root CA- Baltimore CyberTrust Root > 2. Intermediate CA-1 - Microsoft Internet Authority > 3. Intermediate CA-2 - Microsoft IT SSL SHA2 > 4. ID certificate - *.sharepoint.com <http://sharepoint.com/> > > Intermediate CAs are issued by the above Root CA. Issue is seen when > all 4 certificates are installed. Error happens with the intermediate > CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not > install intermediate CA-2 things works fine. > > Any help is well appreciated. > > Regards > Jayalakshmi > > On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <matt at openssl.org > <mailto:matt at openssl.org>> wrote: > > > > On 16/11/15 06:52, Jayalakshmi bhat wrote: > > Hi Victor, > > > > Thanks a lot for details explanation. > > > > Our device acts as TLS/SSL client. The device receives chain of > > certificates as part of SSL handshake, when it is trying to get > > connected to TLS/SSL server like sharepoint 365. > > > > While validating the certificate chain from server, "*check_trust" > > *fails with X509_V_ERR_CERT_UNTRUSTED. > > > > This had been working fine with OpenSSL 1.0.1c. > > > > When I checked the code execution, check_trust was not being > called in > > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. > > > > That is why I wanted to know is it mandatory for the applications to > > set X509_VERIFY_PARAM in X509_STORE_CTX > > > Are you able to share the certificates that the server provides you > with? Also the root certificate you are using. > > It is not mandatory to set X509_VERIFY_PARAMs (but typically you at > least want to verify the hostname through a call to > "X509_VERIFY_PARAM_set1_host"). Are you currently do anything like > this? > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151117/59d56832/attachment.html>
