At most one of CA-1 and CA-2 would be part of the chain from Baltimore to the end cert. However your end cert (apparently for hosted Sharepoint services) was issued by a 3rd MSIT CA that was not provided. If it wasn't provided to the code either, the chain would not validate for that reason alone. I also note that none of the certs in the chain contain any Authority Information Access (AIA) extension (issuer certificate download URL and OCSP URL) only a CRL URL extension, which wouldn't be normal MS practice (Certificate revocation cannot be detected by some browsers that use only OCSP and the automatic certificate download done by some Microsoft Windows Security Support Providers (such as CredSSP) won't work). Oh and you are not posting from an official Microsoft e-mail address either. Something seems very odd here. On 16/11/2015 17:48, Jayalakshmi bhat wrote: > Hi Matt, > > Thank you for the response. I have attached the certificates details. > My apology I am not supposed to share the certificates. We are not > using X509_VERIFY_PARAM_xxx API's. We are using 4 certificates with > the device. > > 1. Root CA- Baltimore CyberTrust Root > 2. Intermediate CA-1 - Microsoft Internet Authority > 3. Intermediate CA-2 - Microsoft IT SSL SHA2 > 4. ID certificate - *.sharepoint.com <http://sharepoint.com/> > > Intermediate CAs are issued by the above Root CA. Issue is seen when > all 4 certificates are installed. Error happens with the intermediate > CA-2. check_trust returns X509_TRUST_UNTRUSTED. However if I do not > install intermediate CA-2 things works fine. > > Any help is well appreciated. > > Regards > Jayalakshmi > > On Mon, Nov 16, 2015 at 2:52 PM, Matt Caswell <matt at openssl.org > <mailto:matt at openssl.org>> wrote: > > > > On 16/11/15 06:52, Jayalakshmi bhat wrote: > > Hi Victor, > > > > Thanks a lot for details explanation. > > > > Our device acts as TLS/SSL client. The device receives chain of > > certificates as part of SSL handshake, when it is trying to get > > connected to TLS/SSL server like sharepoint 365. > > > > While validating the certificate chain from server, "*check_trust" > > *fails with X509_V_ERR_CERT_UNTRUSTED. > > > > This had been working fine with OpenSSL 1.0.1c. > > > > When I checked the code execution, check_trust was not being > called in > > OpenSSL 1.0.1c as "if (param->trust > 0)" was not satisfied. > > > > That is why I wanted to know is it mandatory for the applications to > > set X509_VERIFY_PARAM in X509_STORE_CTX > > > Are you able to share the certificates that the server provides you > with? Also the root certificate you are using. > > It is not mandatory to set X509_VERIFY_PARAMs (but typically you at > least want to verify the hostname through a call to > "X509_VERIFY_PARAM_set1_host"). Are you currently do anything like > this? > Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151117/291440b6/attachment.html>
