Thanks to openssl.org, and Lutz, I have made a client server connection
using DH for key negotiation, and RSA for checking both client and server.
Of course I would like to check the CRL (I use openssl 0.9.7)
I have made an AC certificate, 3 client's certificates; the 3rd is now
invalid in the CRL. I have a .pem file including both AC certificate and
CRL.
I use the SSL_CTX_load_verify_locations function to load the AC cert and
CRL.
I use store = SSL_CTX_get_cert_store(ssl_ctx);
X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK)
in order to check the CRL. (as made in the s_client utility)
But even if I use a valid cert (number 1) or the invalid cert (number 3) for
the client,
The server message is: "error:14094418:lib(20):funct(148):reason(1048)"
The client message is: "error:14090086:SSL
routine:SSL3_GET_SERVER_CERTIFICTATE:certificate verify failed"
What should I do ?
Thanks a lot
Philippe
-----Message d'origine-----
De�: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] De
la part de Lutz Jaenicke
Envoy�: mercredi 15 janvier 2003 14:21
��: [EMAIL PROTECTED]
Objet�: Re: RE : DH and RSA for TLS
On Wed, Jan 15, 2003 at 01:27:58PM +0100, p b wrote:
> I use now the DH-RSA-AES128-SHA cipher.
>
> I have made a .pem file with my DH parameters. I load them using the
> PEM_read_DHparams function.
>
> HOW DO YOU PUT THOSES PARAMETERS IN THE SSL_CTX (if needed)?
man SSL_CTX_set_tmp_dh_callback
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
