Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

Does OpenSSL support chained certificates?

I have a client side application that sends requests to a Web Service and the Web Service provider just sent me an email that they are changing the security on the Web Server from unchained to chained certificates.  I am assuming that OpenSSL would receive the multiple certificate requests and handle them appropriately.  Any insight would be greatly appreciated.

I also posted my client side code, if interested.

Thanks in advance!
try
	{
		BIO*		hBio;								// Basic Input Output (BIO) handle
		SSL*		hSSL;								// SSL/TLS session handle
		SSL_CTX*	hCTX;								// SSL/Context Structure handle
 
		//
		//	Initialize the SSL/TLS connection
		//
 
		hCTX = SSL_CTX_new( SSLv23_client_method( ) );	// Select the SSL/TLS Context Structure.
														// v23 selects either SSLv2, SSLv3 or TLSv1
														// depending on which version the server is using
 
		hBio = BIO_new_ssl_connect( hCTX );				// Create a BIO chain
 
		BIO_get_ssl( hBio, &hSSL );						// Retrieve the BIO pointer into the SSL/TLS handle
 
		SSL_set_mode( hSSL, SSL_MODE_AUTO_RETRY);		// Set the SSL/TLS read/write mode to automatically
														// retry until the requested operation is complete
 
		BIO_set_conn_hostname( hBio, sHost.c_str( ) );	// Set the host name and port.  The following formats 
														// are acceptable:
														// 
														//		IP Address ( e.g. 127.0.0.1 )
														//		host:port ( e.g. microsoft.com:80 )
														//		hostname/path ( e.g. www.microsoft.com/pub )
														//		hostname:port/path ( e.g. www.microsoft.com:80/pub )
										
 
		//
		//	Attempt the SSL/TLS connection
		//
 
		if( BIO_do_connect( hBio ) <= 0)
		{
			//
			// Connection attempt failed.  Log the error, cleanup and bail.
			//
 
			WriteLog( sModule, "Error connecting to server", pLogger );
			BIO_free_all( hBio );
			SSL_CTX_free( hCTX );
			return bRet;
		}
 
		if ( BIO_do_handshake( hBio ) <= 0 )
		{
			//
			// Connection attempt failed.  Log the error, cleanup and bail.
			//
 
			WriteLog( sModule, "Error establishing SSL Connection", pLogger );
			BIO_free_all( hBio );
			SSL_CTX_free( hCTX );
			return bRet;
		}
 
		//
		//	Write the request to the log file (if enabled)
		//
		WriteLog( sModule, const_cast < char* > ( sRequest.c_str( ) ), pLogger );
 
		//
		//	Send the request to the SSL/TLS channel
		//
 
		BIO_write( hBio, sRequest.c_str( ), strlen( sRequest.c_str( ) ) );
 
		for( ; ; )
		{
			int iStatus;
			char sRetMessage[ 20480 ] = { ( char ) NULL };
 
			//
			//	Read the response from the channel.  Once a successful read is made then save
			//
 
			iStatus = BIO_read( hBio, sRetMessage, 20479 );
 
			//
			//	Error or no more to read
			//
 
			if( iStatus <= 0) 
			{
				break;			
			}
 
			sResponse += sRetMessage;
		}
 
		//
		//	Write the response to the log file (if enabled)
		//
 
		WriteLog( sModule, const_cast < char* > ( sResponse.c_str( ) ), pLogger );
 
		//
		//	Cleanup the SSL/TLS memory allocations
		//
 
		BIO_free_all( hBio );
		SSL_CTX_free( hCTX );
 
		bRet = true;
	}
	catch ( ... )
	{
		WriteLog( sModule, "Exception Caught", pLogger );
	}

Open in new window

0
turasque
Asked:
turasque
1 Solution
 
ParanormasticCryptographic EngineerCommented:
Yes, openssl supports chaining.  Not quite sure what you are looking for specifically, but I would imagine it would probably be under 'openssl x509 -CA filename.cer' or 'openssl verify' or 'openssl s_server' (for the latter 2 use a -? for command format...)

http://www.openssl.org/docs/
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now