>From: owner-openssl-us...@openssl.org On Behalf Of isshed >Sent: Wednesday, 15 May, 2013 08:25
>I have a self-signed certificate installed on a server with >the following extensions fields. >Key Usage: Digital Signature, Key Encipherment (a0) >Basic Constraints : Subject Type=End Entity, Path Length Constraint=None >Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1), >Client Authentication (1.3.6.1.5.5.7.3.2) >Now when my client tries to make a TLS connection with this server. >The client sends Client Hello and then the server responds with >Server Hello(which has the above self-signed certificate). Nit: the server sends a series of records; the record that contains the cert is not the ServerHello record. But the server does send the configured cert, which is the important point. >I installed this self-signed certificate with on my client. >My client is not able to verify the certificate and is terminating >the TLS connection with Alert message(Unknown CA). >My client is using openssl version "OpenSSL 1.0.1e". As explained in "Self-signed certificates and keyUsage extension" recently (5/10-11) OpenSSL validation requires that an "issuing" cert have keyusage including CertSign (or omitted = all usage) -- and that includes a self-issued aka self-signed cert. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
