Hello Dave, Once again, thanks for your help.
I performed a test yesterday with the instruction SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM); replaced by SSL_CTX_load_verify_locations(ctx, path_to_file, NULL); Where path_to_file points to my file "server.crt". The function returns 1 so, I expect my certificate to be properly initialised. But, whn I perform the connect, I get an error. The corresponding error message is : error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed After the connect failed, the function SSL_get_peer_certificate(ssl) returns NULL and the function SSL_get_verify_result(ssl) returns 18 (X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT), which is exactly the same problem as before. My server is also printing an error message: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca Regards, Brice 2013/5/28 Dave Thompson <dthomp...@prinpay.com>: >> From: owner-openssl-us...@openssl.org On Behalf Of Brice André >> Sent: Monday, 27 May, 2013 23:45 > >> You are right, I am using a self-signed certificate for use by my >> server. In fact, I do not perform client authentication in my >> application : only the server shall be authentified by ssl. The client >> is authentified by another mechanism. >> >> Here are how I generate my RSA key and my certificate: >> >> openssl genrsa -des -out server.key 2048 >> openssl req -new -key server.key -out server.csr >> openssl x509 -req -days 20000 -in server.csr -signkey >> server.key -out server.crt >> > Asides: you could combine those: > req -new -newkey rsa:2048 replaces genrsa > req -new -x509 replaces x509 -signkey > but the way you have it works. > Also, 54+ years is a pretty long period! > >> The only file that I transmit to my client is server.crt. >> > Good. > >> I think that all those files are OK because, on the server side, once >> everything is initialised, the command SSL_CTX_check_private_key is >> happy with it. >> >> In order to initialise the truststore of my client, I copy the >> server.crt file somewhere, and I execute the following command : >> >> SSL_CTX_use_certificate_file(ctx,path_to_file, SSL_FILETYPE_PEM); >> > Bad. That attempts to use the cert as the *client's* cert, which > has no effect because you didn't give the client the privatekey, > and rightly (the client shouldn't have the server's privatekey, > and you say you don't want ssl-level client-auth anyway). > >> Do I have to generate another file ? Or do I have to perform another >> configuration in my client ? >> > There are two "standard" ways to set up a truststore for openssl lib, > in your case the client's truststore to trust the server. > > SSL_CTX_load_verify_locations (ctx, fileornull, pathornull) > tells openssl to use the (selfsigned root and/or EE) certs > concatenated in one PEM file named by fileornull if not null, > and/or stored in individual PEM files using the subjecthash > for link or name in directory pathornull if not null. > > SSL_CTX_set_default_verify_paths (ctx) does something similar but > using environment-variable settings or compiled default values > for the file and/or path, usually "systemwide" places (for all > apps on the system) something like /etc/openssl/cert.pem and > /etc/openssl/certdir . > > Most of the commandline utilities allow you to specify -CAfile > and/or -CApath for the first way, or default to the second way. > Since you have one cert in one PEM file, the fileornull (CAfile) > approach is simplest. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
