OPENSSL connection to a public server gives X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

The second call to SSL_CTX_load_verify_locations is replacing the certificate from the first call.

You should combine your roots into a single file:

$ cat my-trusted-roots.pem
-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----

And then load that single file with SSL_CTX_load_verify_locations. See the OpenSSL docs on SSL_CTX_load_verify_locations. In partuclar, the NOTES section:

If CAfile is not NULL, it points to a file of CA certificates in PEM format. The file can contain several CA certificates identified by

-----BEGIN CERTIFICATE-----

... (CA certificate in base64 encoding) ...

-----END CERTIFICATE-----

sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates.


Just bike shedding here...

result = SSL_get_verify_result(ssl);
printf("The Verify Result is %d \n",result);

That's one of three tests you need to perform.

The second test you need to perform is below. Anonymous Diffie-Hellman (ADH) does not use a certificate, so you need to check for that.

X509* cert = SSL_get_peer_certificate(ssl);
if(cert) X509_free(cert);

if(cert == NULL)
    /* Error - Anonymous Diffie-Hellman */

SSL_get_peer_certificate bumps the reference count on the certificate, so you need a matching call to X509_free.

The third test you need to perform is hostname matching. OpenSSL 1.1.0 WILL perform hostname matching (and other name matching, like PKCS9 email addresses); but lesser versions, like 0.9.8 and 1.0.1, DO NOT perform the matching.


Thanks to this post I could finally get the SSL/TLS Client to work on Windows. I built openssl using MSYS2. I had to make some changes to the openssl-bio-fetch.tar.gz code so it could build/run in Windows/MSYS2, mostly adjusting the Makefile includes and setting -DNDEBUG to avoid the Posix signals.

However when running the code I got:

    $ ./openssl-bio-fetch.exe
    Warning: thread locking is not implemented
    verify_callback (depth=1)(preverify=0)
        Issuer (cn): DigiCert High Assurance EV Root CA
        Subject (cn): DigiCert SHA2 Extended Validation Server CA
        Error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
    certificate verify failed

I had to download the 2 .pem files:

DigiCert High Assurance EV Root CA

DigiCert SHA2 Extended Validation Server CA

AND PASTE THE CERTIFICATES TO THE SAME .pem FILE ALREADY IN USE BY THE CODE: random-org-chain.pem

Thank You!