On Thu, Jan 16, 2003 at 11:38:40AM +0100, p b wrote:
>
> Thanks to openssl.org, and Lutz, I have made a client server connection
> using DH for key negotiation, and RSA for checking both client and server.
>
> Of course I would like to check the CRL (I use openssl 0.9.7)
>
> I have made an AC certificate, 3 client's certificates; the 3rd is now
> invalid in the CRL. I have a .pem file including both AC certificate and
> CRL.
>
> I use the SSL_CTX_load_verify_locations function to load the AC cert and
> CRL.
> I use store = SSL_CTX_get_cert_store(ssl_ctx);
> X509_STORE_set_flags(store,X509_V_FLAG_CRL_CHECK)
> in order to check the CRL. (as made in the s_client utility)
>
>
> But even if I use a valid cert (number 1) or the invalid cert (number 3) for
> the client,
> The server message is: "error:14094418:lib(20):funct(148):reason(1048)"
> The client message is: "error:14090086:SSL
> routine:SSL3_GET_SERVER_CERTIFICTATE:certificate verify failed"
>
> What should I do ?
Carefully read the messages displayed :-)
The client is complaining about the server certificate: certificate verify
failed. (You need to check the verify_result to learn more about the reason.)
The server says:
serv01 22: openssl errstr 14094418
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Therefore: it is the client that is unhappy with the server's certificate
and thus stops the negotiation. This takes place before the client certificate
is even sent...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
