Steps to reproduce: mkdir client_cert_test mkdir CA cd CA openssl req -out CA.pem -new -x509 openssl pkcs12 -export -out CA.pfx -inkey privkey.pem -in CA.pem echo "00" > serial cd .. mkdir server cd server openssl genrsa -out server.key 1024 openssl req -key server.key -new -out server.req openssl x509 -req -in server.req -CA ../CA/CA.pem -CAkey ../CA/privkey.pem -CAserial ../CA/serial -out server.pem cd .. mkdir client cd client openssl genrsa -out client.key 1024 openssl req -key client.key -new -out client.req openssl x509 -req -in client.req -CA ../CA/CA.pem -CAkey ../CA/privkey.pem -CAserial ../CA/serial -out client.pem cd .. mkdir client2 cd client2 openssl genrsa -out client.key 1024 openssl req -key client.key -new -out client.csr openssl x509 -req -in client.csr -signkey client.key -out client.pem cd .. cd server openssl s_server -cert server.pem -key server.key -CAfile ../CA/CA.pem -accept 4040 -Verify 5 <open new terminal> cd client openssl s_client -cert client.pem -key client.key -connect localhost:4040 -CAfile ../CA/CA.pem <this works> <gives a line like: "depth=0 C = US, ST = PA, L = PGH, O = Client verify return:1" on the server> cd ../client2 openssl s_client -cert client.pem -key client.key -connect localhost:4040 -CAfile ../CA/CA.pem <this also works> <gives a line like "depth=0 C = US, ST = PA, L = PGH, O = Client-Bad verify error:num=18:self signed certificate" on the server>
With -verify and -Verify I believe that the server should reject the connection if the certificate isn't signed by a valid CA. Is there a way to emulate such behaviour, or is there a reason that this behaves in such a manner? Thanks, Jim Keener ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
