V4.2.1, SSL CA Path issue

Duncan Grisby duncan at grisby.org
Mon Dec 7 09:44:33 GMT 2015


On Fri, 2015-12-04 at 14:50 +0000, Bill Chen wrote:

>   omniORB V4.2.1 introduces a very important feature for SSL: a new
> attribute named certificate_authority_path in sslContext.h. It’s
> designed to put all trusted certificates in the folder.
> 
>   When I tested this feature, I found the certificates in this folder
> just didn’t work. What I did was to add a new line in
> examples/ssl_echo/eg2_impl.cc like the following, and put one
> certificate (in pem format) to the “/home/foo/trustedca” folder:

You say you subsequently sorted this out for yourself, but for anyone
else struggling with the same thing, the reason it didn't work is that
the CA files in the directory must be named according to the hash of the
CA subject name. This bit of OpenSSL's documentation explains it:

https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html

"If CApath is not NULL, it points to a directory containing CA
certificates in PEM format. The files each contain one CA certificate.
The files are looked up by the CA subject name hash value, which must
hence be available. If more than one CA certificate with the same name
hash value exist, the extension must be different (e.g. 9d66eef0.0,
9d66eef0.1 etc). The search is performed in the ordering of the
extension number, regardless of other properties of the certificates.
Use the c_rehash utility to create the necessary links."

c_rehash is documented here:

https://www.openssl.org/docs/manmaster/apps/c_rehash.html


Duncan.

-- 
 -- Duncan Grisby         --
  -- duncan at grisby.org     --
   -- http://www.grisby.org --





More information about the omniORB-list mailing list