I wrote this small program which takes as input X509 certificates, base64-encoded, parse them and build a certificate chain, which is eventually verified by x509_Verify_cert(). The last certificate is added to the trusted store if it's self-signed, in order to avoid OpenSSL policy about self.signed certificates, as it's recommended in this post <https://zakird.com/2013/10/13/certificate-parsing-with-openssl/>. The code is at this pastebin link <http://pastebin.com/2N2DSxbe>. However, when I run this with a correct certificate chain (Facebook one, already tested with other libraries), I got error 7, certificate signature validation, at depth 1. The certificate chain is composed by server certificate, CA certificate and a self-signed root certificate, which is also in the trusted system store. Hence, it seems that the public key of the self-signed root certificate is not correctly used to verify the signature on the CA certificate. Moreover, I compile the same source but linking boringSSL crypto library instead of OpenSSL one, and everything works perfectly. Hence, my hyphotesis is that this is an OpenSSL issue found by Google and fixed in BoringSSL, but it has not been fixed in OpenSSL yet. So, I would like to know if I'm missing some steps in order to properly use x509_verify_cert() method, or my hyphotesis about BoringSSL fixing could be appropriate. Thank You, Nicholas -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/a9416297/attachment-0001.html>