I have written a SOAP client using OpenSSL (written in C++ on Ubuntu 12.04) but it currently works without checking the server security certificate. This is the function I am using to set up the connection and checking the certificate

bool bInitialiseSSL(SSL_CTX* &ctx, SSL* &ssl, BIO* &bio)
{
    ctx = SSL_CTX_new(SSLv23_client_method());  
    bio = BIO_new_ssl_connect(ctx);
    if (bio == NULL) {
        ERR_print_errors_fp(stderr);    
        SSL_CTX_free(ctx);
        return false;
    }

    BIO_get_ssl(bio, &ssl);

    SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
    char target[]  = "api.betfair.com:https";

    BIO_set_conn_hostname(bio, target);
    BIO_set_nbio(bio,1);
    while (1) {
        if (BIO_do_connect(bio) <= 0) {
            if (!BIO_should_retry(bio)) {
                cout << "Connect failed." << endl;
                BIO_free_all(bio);
                SSL_CTX_free(ctx);
                return false;
            }
        } else {
            break;
        }
    }

    if (BIO_do_handshake(bio) <= 0) {
        BIO_free_all(bio);
        SSL_CTX_free(ctx);
        return false;
    }

    X509 *cert;
    bool bValid  = false;
    cert = SSL_get_peer_certificate(ssl); 
    if ( cert != NULL ) {
        long res = SSL_get_verify_result(ssl);
        if (res == X509_V_OK) {
            bValid = true;
        } else {
            cout << "Error in security validation: " << res << endl;
        }
        X509_free(cert);   
    }
    return bValid;
}

This works fine but the return value of SSL_get_verify_result is 20 which corresponds to

X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate

I have read some of the OpenSSL documentation for their functions but it is not particularly user friendly. I have looked at a number of web tutorials and I cannot see what I am doing wrong. My software worked perfectly before I tried to implement the certificate checking but I cannot see what I need to do. Do I need to configure settings on my machine? The server is betfair which is supposedly very secure and I find it hard to believe that they do not have valid SSL certificates. If anyone can tell me what I am doing wrong I would be very grateful.

It depends on the certificates of the server.

• If it is a public valid certificate, you can include the CA certs file into SSL_CTX.

code:

ctx = SSL_CTX_new(SSLv23_client_method()); 
// You can load CA certs into SSL_CTX
SSL_CTX_load_verify_locations(ctx, cafile, NULL); // cafile: CA PEM certs file

You can download the public CA certs file from cURL website CA Certs from mozilla.org

• If it is a private certs, and you have the certificate file, you can use SSL_CTX_use_certificate_file instead of SSL_CTX_load_verify_locations.