Re: Certificate verification

darkspell Fri, 24 Mar 2000 14:28:08 -0800
Sounds like your client can't get its hands on the CA cert needed to 
verify the server's cert. 

SSL_CTX_use_certificate_file and SSL_CTX_use_RSAPrivateKey_file  load the 
client-side cert and key you need to present to the server IF the server 
requires authentication of clients (which it doesn't, unless you added that
requirement to the sample code). If the server DOES require authentication
and 22ca.crt is your client cert, then that part's OK. 

The second param passed to SSL_CTX_set_verify should be 
SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT.

Finally, all you need to pass to SSL_CTX_set_verify_locations is the CA cert
whose key signed the server's cert. If that cert is 
/openssl-0.9.5/ca.db.certs/2201.pem, then that line is OK. However, your next
function call references a cert named 01.pem.  Which is the CA cert behind the 
server's cert? 2201.pem or 01.pem? I suspect it's neither. If you created 
your own CA and signed the server's cert yourself using the openssl defaults,
then it's more than likely cacert.pem. This is the cert you should reference 
in the call to set_verify_locations. 

I don't think the call to SSL_CTX_set_client_CA_list should be necessary 
at all.

Try these sugggestions and see what you get.

John
[EMAIL PROTECTED]
www.darkspell.com


> I'm having problem verifying the certificate between server and client on
> the sample programs serv.cc and cli.cc in the demo/ssl directory. 
>
> error 20 at 0 depth lookup:unable to get local issuer certificate
> error 27 at 0 depth lookup:certificate not trusted
> error 21 at 0 depth lookup:unable to verify the first certificate
>
>
> SSL_CTX_use_certificate_file(ctx, "22ca.crt", SSL_FILETYPE_PEM)
> SSL_CTX_use_RSAPrivateKey_file(ctx, "22ca.key", SSL_FILETYPE_PEM) 
> SSL_CTX_check_private_key(ctx)
> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
> verify_callback);
> SSL_CTX_load_verify_locations(ctx,"2201.pem","/openssl-0.9.5/ca.db.certs"); 
> SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(01.pem));

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: Certificate verification

Reply via email to
