Hell,

I've got a question regarding self-signed X509v3 certificates used in a TLS1.0 server/client environment. A communication partner uses a self-signed certificate as attached to this mail (can be retrieved from the TLS server 87.236.105.37:6619). My TLS client uses the following options:
SSL_CTX_load_verify_locations(ctx, NULL, tls_root_certpath)
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,  verify_callback);
    SSL_CTX_set_verify_depth(ctx, 9);
    SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET );

The server certificate is trusted in a directory where trusted certificates reside. In my application, a connect try ends with the following error:

certificate verify error 20: unable to get local issuer certificate: depth=0, subject: /emailAddress=deiningermichae...@johndeere.com/CN=jd_edi_gw.deere.com/OU=EDI/O=John Deere/L=Mannheim/ST=BW/C=DE, issuer: /emailAddress=deiningermichae...@johndeere.com/CN=jd_edi_gw.deere.com/OU=EDI/O=John Deere/L=Mannheim/ST=BW/C=DE

My opinion is that the self-signed certificate has the X509v3 basic constraint CA flag set to "false": (openssl x509 -in John_Deere_OFTP2_Prod_3.cer -noout -text)

            X509v3 Basic Constraints: critical
                CA:FALSE

A connect via "openssl s_client" also fails with this message:

openssl s_client -connect 87.236.105.37:6619 -tls1 -msg -debug -verify 9 -CApath /tmp/rootcerts/
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 501A2574C23B04543CC2CEAE6B930BB34B9A7A7A752213E32469399F77690FC8
    Session-ID-ctx: 
    Master-Key: 72CE5564EC8B591BE7E7B9156610379E73177615F26FCDEE0B58D81AB3C301DED5B0B4AF7881489E9E4D4D654554B72C
    Key-Arg   : None
    Start Time: 1343890805
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

Is my assumption correct that the "CA"-flag must be set to "true" in order to work as a self-signed server certificate? I don't want to change my verify_callback function just in order to get it work (which could be easy). Conformity should be the first goal.


Regards,
Harald



Attachment: John_Deere_OFTP2_Prod_3.cer
Description: application/x509-ca-cert

Reply via email to