Still no good.
Let's recap what I have done to generate the certificates. Maybe I'm
doing something wrong there. Im using the CA.sh script under
openssl/apps to generate the certificates.
1) Generate new CA files using "CA.sh -newca". This generates CA
certificate cacert.pem and CA key cakey.pem. I presume that cacert.pem is
the file that needs to be loaded using SSL_CTX_load_verify_locations on
the client side.
2) Generate new CR file using "CA.sh -newreq". This generates the file
certificate request file newreq.pem.
3) Sign the CR file using the CA file by "CA.sh -sign". This generates
the certificate file "newcert.pem". I presume that this is the file that
needs to be loaded using SSL_CTX_use_certificate_file and
SSL_CTX_use_RSAPrivateKey_file on the server side.
Now when I try to start the server up I get the following errors:
17122:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:662:Expecting: ANY PRIVATE KEY
17122:error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:missing
asn1 eos:ssl_rsa.c:630:
I then try to get around this by commenting
out the SSL_CTX_use_RSAPrivateKey_file call on the server side. Now the
server starts up but when the client tries to connect to the server I get
the following error:
Connection from 7f000001, port d240
17146:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:769:
Please help here.
Thanks in advance,
--Douglas
On Fri, 24 Mar 2000 [EMAIL PROTECTED] wrote:
> Sounds like your client can't get its hands on the CA cert needed to
> verify the server's cert.
>
> SSL_CTX_use_certificate_file and SSL_CTX_use_RSAPrivateKey_file load the
> client-side cert and key you need to present to the server IF the server
> requires authentication of clients (which it doesn't, unless you added that
> requirement to the sample code). If the server DOES require authentication
> and 22ca.crt is your client cert, then that part's OK.
>
> The second param passed to SSL_CTX_set_verify should be
>SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
>
> Finally, all you need to pass to SSL_CTX_set_verify_locations is the CA cert
> whose key signed the server's cert. If that cert is
>/openssl-0.9.5/ca.db.certs/2201.pem, then that line is OK. However, your next
> function call references a cert named 01.pem. Which is the CA cert behind the
> server's cert? 2201.pem or 01.pem? I suspect it's neither. If you created
> your own CA and signed the server's cert yourself using the openssl defaults,
> then it's more than likely cacert.pem. This is the cert you should reference
> in the call to set_verify_locations.
>
> I don't think the call to SSL_CTX_set_client_CA_list should be necessary
> at all.
>
> Try these sugggestions and see what you get.
>
> John
> [EMAIL PROTECTED]
> www.darkspell.com
>
>
> > I'm having problem verifying the certificate between server and client on
> > the sample programs serv.cc and cli.cc in the demo/ssl directory.
> >
> > error 20 at 0 depth lookup:unable to get local issuer certificate
> > error 27 at 0 depth lookup:certificate not trusted
> > error 21 at 0 depth lookup:unable to verify the first certificate
> >
> >
> > SSL_CTX_use_certificate_file(ctx, "22ca.crt", SSL_FILETYPE_PEM)
> > SSL_CTX_use_RSAPrivateKey_file(ctx, "22ca.key", SSL_FILETYPE_PEM)
> > SSL_CTX_check_private_key(ctx)
> > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
> > verify_callback);
> > SSL_CTX_load_verify_locations(ctx,"2201.pem","/openssl-0.9.5/ca.db.certs");
> > SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(01.pem));
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
