On Thu, Dec 02, 1999 at 12:23:30PM +1100, James Darwin wrote:
> Hi,
>
> I'm having trouble verifying the server's signing CA on my client. At init
> time, the SSL_CTX_set_client_CA_list() seems to work okay - debugging shows
> certs being loaded into the STACK - but then in my verify callback routine
> (nsssl_verify_client_callback) I always get
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
> Am I missing a step here? I'm using a verisign class 1 cert on the server,
> and I have loaded verisgn class 1 (and 2 and 3) CA into "nsssl_ca_cert_file".
>
> Any help would be more appreciated....
I am not sure that I understood your question correctly:
- You are working on the client part and want to verify the certificate
presented by the server?
Then you have to add the CA certificates using for the check using the
SSL_CTX_load_verify_locations() call.
- You are working on the server part and want to verify the client
certificates?
Then you need to add the CA certificates to check against using
SSL_CTX_load_verify_locations(ctx, CAfile, CApath). If you don't do anything
else, the certificates included in CAfile are listed to the client as
available for checking. You can however influence this list using the
SSL_CTX_set_client_CA_list() call.
(From memory, hopefully I got it right :-).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]