> From: owner-openssl-us...@openssl.org On Behalf Of Brice André > Sent: Monday, 27 May, 2013 14:48
> I am writing a client-server application <snip> I plan to > generate my self-signed certificate and to embed it in my client. > To be clear, a self-signed cert for (used by) the server. A self-signed cert for the client would be different, but client-auth is rarely used and I expect you would have said so. > Now, my problem is that, when I configure openssl to check the peer > certificate, with the SSL_set_verify command and the SSL_VERIFY_PEER > option, I get the error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT when > handshaking the connection on the client side. > > My understanding of this error is that, by default, open-ssl is not > accepting self-signed certificates. > Are you setting up the client truststore, and how? By default openssl doesn't trust *any* peer cert, self-signed or not. If you are setting up truststore, you aren't doing it right. > So, my question is how can I configure open-ssl to accept self-signed > certificates ? > Put a self-signed entity cert, like a CA root (also self-signed), in the (client's) truststore using _default_verify_paths, _load_verify_locations, or "by hand", as applicable. One gotcha specific to self-signed EE certs at least in openssl: if the KeyUsage extension is present it must include CertSign (in addition to digSign and maybe keyEnc needed in a CA-issued EE cert). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
