On Thu, Dec 02, 1999 at 12:23:30PM +1100, James Darwin wrote:
> Hi,
> 
> I'm having trouble verifying the server's signing CA on my client. At init
> time, the SSL_CTX_set_client_CA_list() seems to work okay - debugging shows
> certs being loaded into the STACK - but then in my verify callback routine
> (nsssl_verify_client_callback) I always get
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
> 
> Am I missing a step here? I'm using a verisign class 1 cert on the server,
> and I have loaded verisgn class 1 (and 2 and 3) CA into "nsssl_ca_cert_file".
> 
> Any help would be more appreciated....

I am not sure that I understood your question correctly:
- You are working on the client part and want to verify the certificate
  presented by the server?
  Then you have to add the CA certificates using for the check using the
  SSL_CTX_load_verify_locations() call.
- You are working on the server part and want to verify the client
  certificates?
  Then you need to add the CA certificates to check against using
  SSL_CTX_load_verify_locations(ctx, CAfile, CApath). If you don't do anything
  else, the certificates included in CAfile are listed to the client as
  available for checking. You can however influence this list using the
  SSL_CTX_set_client_CA_list() call.
  (From memory, hopefully I got it right :-).

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to