Ziyu, please see my answers inline. Thanks!
Mary 2011/5/27 Ziyu Liu <[email protected]> > > At 2011-05-27 13:27:43,"Mary Zhang" <[email protected]> wrote: > > Thanks, Ziyu. > > >The certificate is ok. > >In fact, openssl s_client using same test cert works fine against openssl > >s_server, and if I put the intermediate CA into my SSL server's ca file, it > >works as well. > > Did you attach the intermediate CA to your client certificate chain file? > > [Mary] Yeah, client cert file contains the whole chain. > > >So the issue is that my SSL server is not building the cert chain > >correctly to validate against the root ca. > >And I'm not sure whether I missed some call/config to enable the cert > >chain validation. > > There is no specific difference between cert or cert chain. > What verification depth have you set? > Have you set the same CN when generating the root CA and intermediate CA? > > [Mary] You mean for validation of cert or cert chain, there is no difference in code: same code should work? That's what I expected, but somehow it failed with chain case only. > The verification depth is set to 10 by default (previous other's code), I > may double check that part. > > The root CA and intermediate CA have different CNs. And I used xca to create them. > You can test your server with the certifcates in my attachment. > Structure: > rootcert.pem signs servercert.pem,a intermediate cert which is in the > clientchian.pem > a intermediate cert signs the clientcert.pem. > [Mary] Will try, but my test certs work fine with OpenSSL s_client and > s_server, and so don't think the certs have issue. > > > Thanks! > > Mary > > 2011/5/26 Ziyu Liu <[email protected]> > >> Use the command 'openssl x509 -in serverCA.pem -text -noout' to check if >> your certificate is generated ok.When you are goting to use the intermediate >> CA , you must use X509 v3 extension. >> Check if you have this content: >> * X509v3 extensions: >> X509v3 Basic Constraints: >> CA:TRUE* >> >> >> At 2011-05-27 06:53:04,"Mary Zhang" <[email protected]> wrote: >> >> Hi, >> >> I am using OpenSSL for a SSL server and "openssl s_client" to test it with >> client auth required. >> Self-sigend root cert is used for creating client certs, and the >> self-signed root cert is added to SSL server's trusted ca file. >> >> It works fine when client cert has no chain, but if the client cert is >> created by an intermediate ca which is signed by previous root ca, the SSL >> server failed with unknown ca. >> From the debug trace, looks like s_client sent the whole chain (the client >> cert file contains the private key and the whole chain in PEM format). >> >> I've thought that OpenSSL will automatically build the chain based on what >> sent from client, and since the root ca is trusted, and it should work. >> Am I wrong? Do I need get the client's cert chain and set to the SSL CTX >> for validation? >> >> BTW, here are the functions used: >> >> SSL_CTX_new(SSLv23_method()); >> >> >> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); >> >> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); >> >> >> SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) >> >> SSL_CTX_use_certificate_chain_file(ctx, cert_fname) >> >> SSL_CTX_use_PrivateKey_file(ctx, cert_fname, SSL_FILETYPE_PEM) >> >> STACK_OF(X509_NAME) *ca_certs = SSL_load_client_CA_file((char*)ca_fname); >> >> SSL_CTX_set_client_CA_list(ctx, ca_certs); >> >> >> SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) >> >> >> >> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, >> NULL); >> >> >> SSL_CTX_set_verify_depth(ctx, _verify_depth); >> >> >> Thank you very much! >> >> >> Mary >> >> >> >> >> >> > > >
