Hi,
Please disregard the email below, I got it all to work with a verisign test
server certificate.
Regards,
Jimmy
At 01:11 PM 12/3/99 +1000, you wrote:
>At 11:34 AM 12/2/99 +0100, you wrote:
>>On Thu, Dec 02, 1999 at 12:23:30PM +1100, James Darwin wrote:
>>> Hi,
>>>
>>> I'm having trouble verifying the server's signing CA on my client. At init
>>> time, the SSL_CTX_set_client_CA_list() seems to work okay - debugging
shows
>>> certs being loaded into the STACK - but then in my verify callback routine
>>> (nsssl_verify_client_callback) I always get
>>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>>>
>>> Am I missing a step here? I'm using a verisign class 1 cert on the server,
>>> and I have loaded verisgn class 1 (and 2 and 3) CA into
>"nsssl_ca_cert_file".
>>>
>>> Any help would be more appreciated....
>
>Hi Lutz, thanks for the response. I'm working on the first case below. You
>were right, I did need to call SSL_CTX_load_verify_locations.
>
>I'm now getting X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT in my verify routine,
>using what I believe is a correct CA root? I signed the certificate I'm
>using on the server with the openssl demoCA - both server certificate and
>demo CA root certificates are text dumped at the end of this email.
>
>
>What does this error mean? My CA root is incorrect, or error getting CA
root??
>
>
>Best Regards,
>
>Jimmy
>
>>I am not sure that I understood your question correctly:
>>- You are working on the client part and want to verify the certificate
>> presented by the server?
>> Then you have to add the CA certificates using for the check using the
>> SSL_CTX_load_verify_locations() call.
>>- You are working on the server part and want to verify the client
>> certificates?
>> Then you need to add the CA certificates to check against using
>> SSL_CTX_load_verify_locations(ctx, CAfile, CApath). If you don't do
>anything
>> else, the certificates included in CAfile are listed to the client as
>> available for checking. You can however influence this list using the
>> SSL_CTX_set_client_CA_list() call.
>> (From memory, hopefully I got it right :-).
>>
>>Best regards,
>> Lutz
>>--
>>Lutz Jaenicke [EMAIL PROTECTED]
>>BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
>>Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
>>Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
>>______________________________________________________________________
>>OpenSSL Project http://www.openssl.org
>>Development Mailing List [EMAIL PROTECTED]
>>Automated List Manager [EMAIL PROTECTED]
>
>
>apps@utopia>./openssl x509 -in /tmp/server_certificate.pem -text
>Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 286 (0x11e)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=CS, CN=SSLeay demo
server
> Validity
> Not Before: Dec 2 05:45:13 1999 GMT
> Not After : Dec 1 05:45:13 2000 GMT
> Subject: C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=test, CN=James
>Darwin/Emai
>[EMAIL PROTECTED]
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:c1:2a:ec:5a:33:9c:db:b4:da:3f:09:5d:d8:08:
> 1c:ec:80:13:f7:6a:f7:7f:0f:48:80:48:ea:39:30:
> e8:a5:fd:bd:59:a4:39:f8:27:e1:33:96:6a:30:a6:
> d0:73:34:0d:97:15:4b:d0:d3:14:ea:b7:c8:76:80:
> 7e:0b:ec:3f:bd:68:4e:c8:e2:97:67:1a:8f:bc:b6:
> 04:34:28:08:31:90:89:44:92:64:73:3f:c9:e0:6a:
> 76:b5:4b:11:22:6d:24:8b:e8:c3:2e:09:1b:4d:39:
> 44:2e:73:73:65:13:b9:aa:5f:15:23:28:77:1a:41:
> 9f:ae:29:7e:fc:94:f9:91:61
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Basic Constraints:
> CA:FALSE
> Netscape Comment:
> OpenSSL Generated Certificate
> X509v3 Subject Key Identifier:
> C8:14:F0:48:CE:A2:DD:4D:C5:B1:9A:77:69:8D:A2:EE:2D:3C:75:B6
> X509v3 Authority Key Identifier:
> DirName:/C=AU/ST=QLD/CN=SSLeay/rsa test CA
> serial:04
>
> Signature Algorithm: md5WithRSAEncryption
> 3e:cd:d9:56:83:f8:c4:e1:ce:35:c7:f1:19:a3:4f:ec:7d:aa:
> ca:61:98:91:f0:22:30:e9:5f:f9:5f:14:32:7b:5c:77:f6:a1:
> fb:34:c4:13:f4:9f:54:9f:0b:2b:5f:14:f9:63:2d:50:07:28:
> 71:82:82:8e:ee:20:84:07:9e:84
>-----BEGIN CERTIFICATE-----
>MIICuzCCAmWgAwIBAgICAR4wDQYJKoZIhvcNAQEEBQAwYDELMAkGA1UEBhMCQVUx
>DDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UE
>CxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIHNlcnZlcjAeFw05OTEyMDIwNTQ1
>MTNaFw0wMDEyMDEwNTQ1MTNaMH0xCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNRTEQx
>GTAXBgNVBAoTEE1pbmNvbSBQdHkuIEx0ZC4xDTALBgNVBAsTBHRlc3QxFTATBgNV
>BAMTDEphbWVzIERhcndpbjEfMB0GCSqGSIb3DQEJARYQamltbXlAZGFzY29tLmNv
>bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwSrsWjOc27TaPwld2Agc7IAT
>92r3fw9IgEjqOTDopf29WaQ5+CfhM5ZqMKbQczQNlxVL0NMU6rfIdoB+C+w/vWhO
>yOKXZxqPvLYENCgIMZCJRJJkcz/J4Gp2tUsRIm0ki+jDLgkbTTlELnNzZRO5ql8V
>Iyh3GkGfril+/JT5kWECAwEAAaOBpzCBpDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
>DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyBTw
>SM6i3U3FsZp3aY2i7i08dbYwSgYDVR0jBEMwQaE8pDowODELMAkGA1UEBhMCQVUx
>DDAKBgNVBAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBggEEMA0G
>CSqGSIb3DQEBBAUAA0EAPs3ZVoP4xOHONcfxGaNP7H2qymGYkfAiMOlf+V8UMntc
>d/ah+zTEE/SfVJ8LK18U+WMtUAcocYKCju4ghAeehA==
>-----END CERTIFICATE-----
>apps@utopia>./openssl x509 -in /tmp/roo_ca_certificate.pem -text
>Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number: 4 (0x4)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=AU, ST=QLD, CN=SSLeay/rsa test CA
> Validity
> Not Before: Oct 9 23:32:05 1995 GMT
> Not After : Jul 5 23:32:05 1998 GMT
> Subject: C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=CS, CN=SSLeay demo
>server
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (512 bit)
> Modulus (512 bit):
> 00:b7:2c:25:dc:49:c5:ae:6b:43:c5:2e:41:c1:2e:
> 6d:95:7a:3a:a9:03:51:78:45:0f:2a:d1:58:d1:88:
> f6:9f:8f:1f:d9:fd:a5:87:de:2a:5d:31:5b:ee:24:
> 66:bf:c0:55:db:fe:70:c5:2c:39:5f:5a:9f:a8:08:
> fc:21:06:d5:4f
> Exponent: 65537 (0x10001)
> Signature Algorithm: md5WithRSAEncryption
> 2b:34:5b:22:85:62:23:07:36:f4:0c:2b:14:d0:1b:cb:d9:bb:
> d2:c0:9a:cf:12:a1:65:90:3a:b7:17:83:3a:10:6b:ad:2f:d6:
> b1:11:c0:0d:5a:06:db:11:d0:2f:34:90:f5:76:61:26:a1:69:
> f2:db:b3:e7:20:cb:3a:64:e6:41
>-----BEGIN CERTIFICATE-----
>MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
>BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
>MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
>RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
>BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
>LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
>/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
>DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
>IMs6ZOZB
>-----END CERTIFICATE-----
>----------------------------------------------------------
> James Darwin http://www.dascom.com
> Senior Software Engineer DASCOM Australia Pty Ltd.
> [EMAIL PROTECTED] Bond University Australia.
>----------------------------------------------------------
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>Development Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
----------------------------------------------------------
James Darwin http://www.dascom.com
Senior Software Engineer DASCOM Australia Pty Ltd.
[EMAIL PROTECTED] Bond University Australia.
----------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
