Dave -
Thanks much!
> If the filename can't be opened SSL_CTX_load_verify_locations returns
false. Your code does check for that, I hope.
Good to know. Thanks. (Sometime APIs just "stash" a name somewhere for use
later.) Yes, I check every return code and put out a good error message if
the call fails.
> the Windows *API* has no problem with space in filename (unlike some
Windows *UIs*).
Like, say, VBA, or at least the MS-Word fields.
> And it actually accepts either slash or backslash separator
Right, I knew that, but I should remember it with MS-Word (which I use a lot
for documentation). Not having to escape \ would be a small step forward.
Thanks.
> Make sure ... the Subject and Issuer names are *exactly* the same
> if your self-signed cert has a KeyUsage extension that does not include
certSign,
> OpenSSL skips it for chain-building, resulting in verify 20.
Looks like the latter to me. Please look below and tell me if you don't
agree. If so, I fear it is unsolvable, but it does not really matter as the
Kiwi is just for testing and if I know why it is failing that is almost as
good as it succeeding. I can bypass the verify failure and use it to test
everything else. My own client and server with a more conventional cert and
CA setup is verifying.
Here is a little of the s_client output:
depth=0 /CN=KiwiServer
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=KiwiServer
verify error:num=21:unable to verify the first certificate
verify return:1
And here is the certificate -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
62:72:81:ef:1c:37:e2:9b:4f:ce:08:bb:a6:bf:82:03
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=KiwiServer
Validity
Not Before: Jul 27 21:05:20 2012 GMT
Not After : Jul 27 00:00:00 2013 GMT
Subject: CN=KiwiServer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
<snip>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Signature Algorithm: sha1WithRSAEncryption
<snip>
-----END CERTIFICATE-----
Charles
-----Original Message-----
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson
Sent: Monday, August 13, 2012 7:09 PM
To: openssl-users@openssl.org
Subject: RE: CA for IIS-issued self-signed certificate?
> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills
> Sent: Saturday, 11 August, 2012 08:57
> I wondered if perhaps there were path or filename specification
> problems (need to escape backslashes? a problem with embedded spaces?)
> but I eliminated all of those variables -- put the certificate with a
> "simple"
> name in the current path.
>
If the filename can't be opened SSL_CTX_load_verify_locations returns false.
Your code does check for that, I hope.
FWIW, the Windows *API* has no problem with space in filename (unlike some
Windows *UIs*). And it actually accepts either slash or backslash separator
(and sometimes slash is more convenient).
> What do I look for? How do I get more granularity than "unable to get
> local issuer certificate"?
>
Top-level cut: do you get the same error (verify 20) with s_client?
If so, the problem is either the cert or the truststore, and you're
confident of the truststore. Make sure the description as self-signed (or at
least self-issued) is correct, i.e. the Subject and Issuer names are
*exactly* the same. If s_client works, the problem is almost certainly (say
99.9%) in your code.
This reminds me of one possibility that came up with someone else a few
weeks ago: if your self-signed cert has a KeyUsage extension that does not
include certSign, OpenSSL skips it for chain-building, resulting in verify
20. If you look at the cert with the usual Windows tools (inetcpl,
CryptExtOpenCER, mmc) you should be able to see if KeyUsage is present and
if so what is in it, or you can use commandline openssl x509 -text.
If neither of the above, you probably do need to debug, but:
> I'm using a pre-built Windows distribution of OpenSSL 1.0.1c.
> It will take
> some re-arrangement to be able to trace into OpenSSL.
>
That's unfortunate.
> 64-bit Windows, if that matters.
>
It shouldn't, but if there's a bug somewhere, it might.
<snip previous>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
