openssl verify conflicts with SSL_connect

[John Hoel]

I am testing my implementation of OpenSSL within an existing application by 
creating certificates using the instructions in the O'Reilly book, chapter 5. 
When I use the client.pem file with SSL_CTX_set_certificate_chain_file, and the 
root.pem file with SSL_CTX_load_verify_locations, then SSL_connect() throws the 
following error:

error 18: self signed certificate

However, when I check these same files with 'openssl verify', OK is reported.

What could be causing this discrepancy?

Following is a listing of the client.pem file generated by 'openssl x509 -noout 
-text -in client.pem'

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            de:b5:0b:6c:40:2e:69:91
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=exampleCA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root 
Certification Authority
        Validity
            Not Before: Apr  7 17:18:59 2005 GMT
            Not After : May  7 17:18:59 2005 GMT
        Subject: CN=example org, ST=WA, C=US/[EMAIL PROTECTED], O=iWave Testing
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:b5:4a:8a:45:ff:3c:b0:54:b9:58:41:54:34:c3:
                    d1:5e:c2:26:77:aa:1f:02:99:9c:f8:97:65:ce:0c:
                    8f:dc:00:72:39:98:ed:07:71:75:c4:aa:a5:7a:39:
                    b1:8c:cd:c5:a8:4a:c7:8b:0b:e0:6d:1f:1a:e5:53:
                    75:10:1d:cb:66:0f:41:2f:72:41:ff:67:df:f6:c5:
                    49:b4:16:f4:e0:af:5d:fb:96:3c:39:97:c9:61:ff:
                    57:17:8c:93:07:b0:dd:1c:2c:47:76:27:77:eb:57:
                    b5:8d:bb:5f:92:88:01:de:5c:af:2d:ca:19:a8:27:
                    89:a4:47:ee:47:06:34:7a:1b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        49:cf:06:42:0a:f6:fb:df:ee:82:28:be:09:c9:e7:26:e9:3d:
        2e:18:7b:dc:22:d2:92:f8:36:70:ac:92:8f:1d:f6:71:64:5f:
        46:92:7f:69:94:03:bc:54:8c:f3:2f:da:36:78:69:5d:05:68:
        e9:b4:0e:01:46:60:4d:54:86:79:1f:77:f4:6f:3c:ca:c3:a4:
        03:53:7e:d2:96:1d:07:cd:8d:3d:fd:b1:3e:73:65:cf:4f:00:
        12:9f:a6:ec:d9:e1:df:ae:79:f6:75:ed:23:76:75:93:98:4f:
        47:54:b1:48:75:d6:77:48:b4:ce:4a:33:f0:d9:57:6b:78:8c:
        5f:7b

Following is a listing of the root.pem file generated by 'openssl x509 -noout 
-text -in root.pem'

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            de:e5:6f:af:45:ff:0f:46
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=exampleCA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root 
Certification Authority
        Validity
            Not Before: Apr  7 16:31:30 2005 GMT
            Not After : May  7 16:31:30 2005 GMT
        Subject: CN=exampleCA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root 
Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:bf:80:95:33:35:d6:b1:3f:42:8d:91:78:1f:fb:
                    ce:34:62:e9:04:ff:68:d5:a1:6c:6b:a3:77:27:c7:
                    41:e2:c4:26:0f:a8:db:d3:c6:af:ae:62:b6:40:1a:
                    5d:ff:70:76:28:7a:9b:52:40:0c:10:29:0a:c2:a6:
                    17:90:52:7f:53:b4:a2:e1:a5:83:b0:19:e5:f7:3e:
                    a7:9a:5c:9b:40:7d:37:8c:4f:88:49:28:c6:60:46:
                    a2:a0:2e:02:1c:04:2a:75:2c:8f:fc:28:09:d6:18:
                    33:56:bc:e0:10:71:f7:42:a6:6c:fd:5d:d7:c5:cb:
                    f1:6b:ef:07:ee:09:99:74:41
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        26:c2:58:9a:b7:1c:74:67:34:c1:49:28:c4:5d:8e:4f:87:65:
        d5:46:d3:4a:2e:3d:83:8b:ea:74:e9:00:df:0b:3a:db:0a:7b:
        77:e2:b7:f8:c4:79:44:a8:31:58:78:32:ae:71:08:c9:7e:5e:
        4a:92:33:f6:d3:21:b6:62:2e:0c:71:aa:79:3b:9f:40:77:69:
        b1:bf:b6:ee:ff:66:e5:e8:f2:6b:e2:ac:1c:7d:0e:ed:ff:a3:
        21:37:1d:3c:a0:4a:9d:46:38:ff:b3:ff:6f:f3:c8:0f:19:bc:
        74:a4:53:5a:6b:df:12:cc:3f:38:15:2c:ae:62:25:9c:da:2d:
        0a:75

______________________________

John Hoel
Product Author

Skywire Software
2401 Internet Blvd., Suite 201
Frisco, Texas 75034
(972)377-1110 main
(425)396-4687 direct
[EMAIL PROTECTED]

www.skywiresoftware.com


NO RELIANCE:  This e-mail will be of no force of effect and will not be binding 
unless a hard copy of this e-mail, signed by an authorized official of the 
company, has been sent to the recipient of this message.

CONFIDENTIAL AND/OR PROPRIETARY:  Information contained in this transmission is 
intended for the use of the individual or entity named above and may contain 
legally proprietary or confidential information. If the reader of this message 
is not the intended recipient, you are hereby notified that any dissemination, 
distribution or copy of this communication is strictly prohibited. If you have 
received this communication in error, please permanently delete this message 
and immediately notify us by telephone at 972-377-1110.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]