On Tue, Jul 01, 2003 at 03:19:14PM +0100, Marius Cabas wrote:
> I want to check the client certificate from an SLL server. In the
> callback function passed to SSL_CTX_set_verify() I'm getting the error
> 18: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (self signed certificate). I
> suppose the certificate I'm using is not the right one. Can somebody help
> me to generate all type of certificates needed by an SSL server and
> client. Please, I'm new to OpenSSL.
[ Retry. Apologies if you get this twice. ]
(Without consulting the source...)
Typically, clients certs are signed by a CA. To verify client certs, your
server needs to know the CA's cert beforehand; the server loads the CA
cert(s) via SSL_CTX_load_verify_locations.
The above error indicates your client is supplying a self-signed cert.
By definition, a self-signed cert's CA is itself. In this case, your server
is seeing the self-signed cert's CA (meaning the cert itself) for the first
time over the SSL connection and is thus unable to verify it.
Check out how to run a CA using OpenSSL; there are numerous HOWTOs, one of
which is here:
http://www.post1.com/home/ngps/m2/
Create a CA, then try again with client certs signed by your CA.
<plug>
You might also want to check out M2Crypto, a Python interface to OpenSSL,
found at the same URL.
</plug>
HTH.
--
Ng Pheng Siong <[EMAIL PROTECTED]>
http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes
http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
