RETRY (previous attempt 01-31 19:34 EST not seen) >From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah >Sent: Thursday, 31 January, 2013 18:12
>I am running the openssl tool from the FIPCA utility kit to check >the server certificate. I am getting error 20 and 21. >The certificate is retrieved successfully from the server and displayed >on the Dos console. However, error 20 and 21 is shown prior to the >certificate contents display and "Verify return code: 21 (unable to >verify the first certificate)" message is shown as the last message. "retrieved" is not the best wording. The server sends whatever cert it chooses and should send any chain cert(s) needed for that cert, optionally omitting the root cert ending the chain (if any; if the server cert is selfsigned there is no separate root cert). The client has only limited control/influence over the server cert/chain. 20 is the real error = can't get issuer locally; 21 is derivative. Is s_client receiving a single cert or a chain of more than one cert and if so on which cert is the error 20 occurring? What is the issuer of that cert, and is issuer a root (in which case it should be in the local truststore, see below) or not (in which case the server should send and may need to be reconfigured, although openssl will actually use intermediates that are in the local truststore). >C:\FIPS-CA\ssl_dev>openssl s_client -connect 172.30.128.193:443 >-CAfile C:\Windows\System32\CertSrv\CertEnroll\TrustedCA.txt >I installed the certificate in local machine which should not be >required to pass this test. <Clinton>I'm not sure what you mean by 'installed' and by 'pass'.</> A. For openssl client including s_client to verify a server cert/chain as good, the root of that chain must be in the client truststore used. A1. if you specify -CAfile and/or -CApath to s_client, or equivalent calls to the library, that is the truststore used and the server's root must be there. Is that 'installed'? A2. otherwise, the server's root must be in the default truststore. A2a. it might already be in the default truststore and you do nothing. A2b. it might not already be in the default truststore and you add it. Is that 'installed'? A3. If the server is using a unique selfsigned cert it is unlikely to already be in client truststore (A2a) so probably A1 or A2b. B. s_client displays verify error(s) but overrides and continues. For calls to the library you can set a callback that does this. Is that 'pass'? Or do you want good verification, then see above. C. Or is 'local' machine not the same as the client machine? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
