self signed cert - error : unknown CA

[Samy Thiyagarajan]

Thanks konark.

When  I initialize my ctx i call the following functions..
#  SSL_CTX_set_verify()  with option SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
#  SSL_CTX-set_client_CA_list( ctx, cafile)

things are fine when the client request for a connection with a certificate signed by one of the listed CAs (in the cafile)

For some reasons I also wish to accept self signed certs( user needs to decide to accept or not ).
So when a client comes up with a self signed cert , the server reports ' unknown ca ' error. I understand that this is b'coz it is not signed by trusted CA. All i want to know is what needs to be done on server side to accept the self signed.

I really appreciate ay kind of assistance.

Thanks
Samy

Konark <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 02.02.2006 14:12 Please respond to openssl-users@openssl.org

To openssl-users@openssl.org cc Subject RE: accepting self signed certs Classification

 
Hi Samy,
 
1.       If server ready to accept any unanimous certificate (certificate  need not be verified by the any of the server trusted CA’s ) like your case self signed client certificate ,There is no point of  asking client authentication.  If server is requested for client authentication client should send certificate which must be issued by one of the server trusted CA’s.
 
2.       Generally servers wont ask client authentication for general connection, when ever  client request for some critical resources then trough renegotiation server
 
Can ask client authentication . In this case client authentication is must it cant accept the self signed OR unanimous certificate.
 
Regards,
Konark
09342513592
 
***************************************************************************************
            This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samy Thiyagarajan
Sent: Thursday, February 02, 2006 6:02 PM
To: openssl-users@openssl.org
Subject: accepting self signed certs
 

hi..
My test server has a list of trusted CAs. Now i also want to accept connections requested by clients with self signed certificates. Any simple way to accept the self signed certs ?

Thanks in advance.
Samy