Hi,
I'm having trouble verifying the server's signing CA on my client. At init
time, the SSL_CTX_set_client_CA_list() seems to work okay - debugging shows
certs being loaded into the STACK - but then in my verify callback routine
(nsssl_verify_client_callback) I always get
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
Am I missing a step here? I'm using a verisign class 1 cert on the server,
and I have loaded verisgn class 1 (and 2 and 3) CA into "nsssl_ca_cert_file".
Any help would be more appreciated....
Best Regards,
Jimmy
..
if (nsssl_ca_cert_file) {
SSL_CTX_set_client_CA_list(nsssl_client_ctx,
(STACK_OF(X509_NAME) *)nsssl_init_CAList(nsssl_ca_cert_file,
NULL));
nsssl_verify_client = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
SSL_CTX_set_verify(nsssl_client_ctx,
nsssl_verify_client,
nsssl_verify_client_callback);
..
/*
* Load CA certificates from ca-cert-file and ca-cert-p12-dir
*/
STACK *nsssl_init_CAList(char *CAfile, char *CAp12dir)
{
PKCS12 *p12;
STACK *skCAList, *sk;
DIR *dir;
struct dirent *direntry;
#ifdef _WIN32
struct _stat stat_buf;
#else
struct stat stat_buf;
#endif
FILE *fp;
char *p,*tmps=NULL;
int i;
char *pass="";
EVP_PKEY *pkey=NULL;
X509 *cert=NULL;
char errs[256 * 10];
skCAList = sk_new(nsssl_init_CAList_X509NameCmp);
/*
* Process CA certificate bundle file
*/
if (CAfile != NULL) {
sk = (STACK *)SSL_load_client_CA_file(CAfile);
for (i=0; sk != NULL && i<sk_num(sk); i++)
if (sk_find(skCAList, sk_value(sk,i)) <0)
sk_push(skCAList, sk_value(sk,i));
}
..
}
int nsssl_verify_client_callback(int ok, X509_STORE_CTX *ctx)
{
char buf[256];
X509 *err_cert;
int err,depth;
err_cert=X509_STORE_CTX_get_current_cert(ctx);
err= X509_STORE_CTX_get_error(ctx);
depth= X509_STORE_CTX_get_error_depth(ctx);
X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
if (!ok) {
dce_svc_printf(NSLOWER_SSL_STATUS_FUNCTION_FAILED_MSG,
"nsssl_verify_client_callback", err);
}
return(ok);
}
----------------------------------------------------------
James Darwin http://www.dascom.com
Senior Software Engineer DASCOM Australia Pty Ltd.
[EMAIL PROTECTED] Bond University Australia.
----------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]