1 files changed, 11 insertions, 4 deletions

diff --git a/tdeio/kssl/ksslcallback.c b/tdeio/kssl/ksslcallback.c
index 59f342584..1a105db3f 100644
--- a/tdeio/kssl/ksslcallback.c
+++ b/tdeio/kssl/ksslcallback.c
@@ -27,8 +27,9 @@ bool KSSL_X509CallBack_ca_found;
 
 extern "C" {
 static int X509Callback(int ok, X509_STORE_CTX *ctx) {
- 
-  kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << ctx->error << " depth = " << ctx->error_depth << endl;
+
+  kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << KOSSL::self()->X509_STORE_CTX_get_error(ctx) << " depth = "
+  							<< KOSSL::self()->X509_STORE_CTX_get_error_depth(ctx) << endl;
   // Here is how this works.  We put "ok = 1;" in any case that we
   // don't consider to be an error.  In that case, it will return OK
   // for the certificate check as long as there are no other critical
@@ -39,14 +40,20 @@ static int X509Callback(int ok, X509_STORE_CTX *ctx) {
 
   if (KSSL_X509CallBack_ca)
   {
-     if (KOSSL::self()->X509_cmp(ctx->current_cert, KSSL_X509CallBack_ca) != 0)
+     if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0 &&
+         /*
+          * With OpenSSL >= 1.1 certificate in chain can be replaced by a certificate from the local certificate store.
+          * It is therefore necessary to compare the subject name, rather than the entire certificate.
+          */
+         KOSSL::self()->X509_subject_name_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
         return 1; // Ignore errors for this certificate
+     }
 
      KSSL_X509CallBack_ca_found = true;
   }
  
   if (!ok) {
-    switch (ctx->error) {
+    switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
       case X509_V_ERR_UNABLE_TO_GET_CRL:
       case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: