I am writing a very simple SSL client to connect to an HTTPS web server. I can connect and process the request / response just fine. However, OpenSSL reports UNABLE_TO_GET_ISSUER_CERT_LOCALLY , but so far I prefer to ignore the error :-). Now I want to solve this part of the problem.
I test by connecting to a public SSL server on HTTPS, such as Google or Yahoo, and checking for SSL_get_verify_result(...) returns.
As I understand it, I need CA pem files for this particular site so that OpenSSL can check the chain to a trusted certificate authority. In this case, it will be the authority that signed the certificates for Google or Yahoo.
To get the PEM files that I expect will work, I opened my FireFox, went to these sites and executed a view certificate and exported each one to a list. So for example, I have a file called "GeoTrustGlobalCA.pem" that looks good. In fact, when I immediately got to the GeoTrust website and uploaded their root certificate, it is identical to the one I exported from FireFox, as expected.
So, for example, with Google, which showed two certificates in a tree in FireFox, I upload each of them:
result = SSL_CTX_load_verify_locations(ctx,"GoogleInternetAuthorityG2.pem",NULL); if (result == 0) { puts("Opps... Can't load the certificate"); } result = SSL_CTX_load_verify_locations(ctx,"GeoTrustGlobalCA.pem",NULL); if (result == 0) { puts("Opps... Can't load the certificate"); }
After that, the usual things to connect and communicate:
BIO_set_conn_hostname(bio, "www.google.com:https");
And do not get errors when downloading or connecting.
However, the check does not work.
result = SSL_get_verify_result(ssl); printf("The Verify Result is %d \n",result);
I get return UNABLE_TO_GET_ISSUER_CERT_LOCALLY (error code 20) .
So, did I miss some concept here? Wouldn't that give me the result of X509_V_OK , because it has trusted certificates? There were only two that were in line with google.com, and I used them.