I have the same problem verifying the server certificate. I tried to run s_server and s_client tests so everything work fine a part from certificate verification. I get an
verify error: num=20:unable to get local issuer certificate
verify return: 1
Then I decided to run verify test with the same parameters.
I have done cert req for server and sent it to THAWTE. Then I got certificate signed by THAWTE (myCert.pem). I addition I have the THAWTE root cert (CA cert below) thawte.pem
I do
openssl verify -CAfile E:\openssl\certs\thawte.pem -purpose sslserver E:\openssl\files\myCert.pem
and got the same error.
I also tried to use -CApath that points to dir where all trusted certs are located. (BTW what does it mean "The certificates should have names of the form: hash.0" how to convert *.pem to ...?)
openssl verify -CApath E:\openssl\certs\ -purpose sslserver E:\openssl\files\myCert.pem
I'm tired to search for solution. I took a look at many mailing lists but still can't solve the problem
Please help
Thanks !
>Reply-To: [EMAIL PROTECTED]
>To: "OpenSSL Dev (E-mail)" <[EMAIL PROTECTED]>
>Subject: Certificate Management
>Date: Tue, 16 Oct 2001 13:39:51 -0400
>
>Hi All:
>
>I've been using the example in ComLine in as a test harness and after much
>hair pulling and a crash course in sockets, I now can get data from certain
>secure servers on a Macintosh!!!
>
>And that's the catch... How come some work and some don't. Here's some
>trace from a site that doesn't work:
>
> Host Event.. FLUSH passed to
>`https://store.apple.com/1-800-MY-APPLE/WebObjects/canadastore.woa/'
.
> .
> .
> HTTP........ Generating HTTP/1.x Request Headers
HTTP........ Generating General Headers
Buffer...... Flushing 0x0de0de30
HTSSL New... Created new SSL Object 0x0de1af10
HTSSL....... Setting u! p 0x0de1af10 on socket 3
HTSSL....... New reference count = 1
SSL_connect: before/connect initialization
SSL_connect: SSLv2/v3 write client hello A
depth = 0 /C=US/ST=California/L=Cupertino/O=Apple Computer, Inc./OU=Apple
>Computer, Inc./OU=Terms of use at www.verisign.com/rpa
>(c)00/CN=store.apple.com
verify error: num=20:unable to get local issuer certificate
verify return: 1
depth = 0 /C=US/ST=California/L=Cupertino/O=Apple Computer, Inc./OU=Apple
>Computer, Inc./OU=Terms of use at www.verisign.com/rpa
>(c)00/CN=store.apple.com
verify error: num=27:certificate not trusted
verify return: 1
depth = 0 /C=US/ST=California/L=Cupertino/O=Apple Computer, Inc./OU=Apple
>Computer, Inc./OU=Terms of use at www.verisign.com/rpa
>(c)00/CN=store.apple.com
verify error: num=21:unable to verify the first certificate
verify return: 1
SSL_connect: SSLv2 read server hello A
SSL_connect: SSLv2 ! write client master key A
SSL_connect: SSLv2 client start encrypti on
SSL_connect: SSLv2 write client finished A
SSL_connect: error in SSLv2 read server verify A
SSL_connect: error in SSLv2 read server verify A
HTSSLWriter. SSL returned 1
Error....... Add 73 Severity: 1 Parameter: `No Error' Where: `SSLWRITE'
>At SSL_Connect, there's a line about certificate not trusted (and other
>verify errors), which I believe is the cause of my problems, because on the
>sites I can get to, I don't get that.
>
>So, is there an API some place for the certificate management or some sample
>code? Any ideas would be appreciated!
>
>Best regards
>
>
>
>John Cebasek
>[EMAIL PROTECTED]
>
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>Development Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
