Hello,
Just a little hint:
Your questions would be much clear if you state, at each step,
which end of the connection each thing applies to, like at what
end did you call SSL_CTX_load_verify_locations, at what end did
you get which error messages etc.
I suspect this may be the cause of some confusion here.
On 5/29/2013 9:14 AM, Brice André wrote:
Hello Dave,
Once again, thanks for your help.
I performed a test yesterday with the instruction
SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM);
replaced by
SSL_CTX_load_verify_locations(ctx, path_to_file, NULL);
Where path_to_file points to my file "server.crt". The function
returns 1 so, I expect my certificate to be properly initialised.
But, whn I perform the connect, I get an error. The corresponding
error message is :
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
After the connect failed, the function SSL_get_peer_certificate(ssl)
returns NULL and the function SSL_get_verify_result(ssl) returns 18
(X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT), which is exactly the same
problem as before.
My server is also printing an error message:
error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Regards,
Brice
2013/5/28 Dave Thompson <dthomp...@prinpay.com>:
From: owner-openssl-us...@openssl.org On Behalf Of Brice André
Sent: Monday, 27 May, 2013 23:45
You are right, I am using a self-signed certificate for use by my
server. In fact, I do not perform client authentication in my
application : only the server shall be authentified by ssl. The client
is authentified by another mechanism.
Here are how I generate my RSA key and my certificate:
openssl genrsa -des -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 20000 -in server.csr -signkey
server.key -out server.crt
Asides: you could combine those:
req -new -newkey rsa:2048 replaces genrsa
req -new -x509 replaces x509 -signkey
but the way you have it works.
Also, 54+ years is a pretty long period!
The only file that I transmit to my client is server.crt.
Good.
I think that all those files are OK because, on the server side, once
everything is initialised, the command SSL_CTX_check_private_key is
happy with it.
In order to initialise the truststore of my client, I copy the
server.crt file somewhere, and I execute the following command :
SSL_CTX_use_certificate_file(ctx,path_to_file, SSL_FILETYPE_PEM);
Bad. That attempts to use the cert as the *client's* cert, which
has no effect because you didn't give the client the privatekey,
and rightly (the client shouldn't have the server's privatekey,
and you say you don't want ssl-level client-auth anyway).
Do I have to generate another file ? Or do I have to perform another
configuration in my client ?
There are two "standard" ways to set up a truststore for openssl lib,
in your case the client's truststore to trust the server.
SSL_CTX_load_verify_locations (ctx, fileornull, pathornull)
tells openssl to use the (selfsigned root and/or EE) certs
concatenated in one PEM file named by fileornull if not null,
and/or stored in individual PEM files using the subjecthash
for link or name in directory pathornull if not null.
SSL_CTX_set_default_verify_paths (ctx) does something similar but
using environment-variable settings or compiled default values
for the file and/or path, usually "systemwide" places (for all
apps on the system) something like /etc/openssl/cert.pem and
/etc/openssl/certdir .
Most of the commandline utilities allow you to specify -CAfile
and/or -CApath for the first way, or default to the second way.
Since you have one cert in one PEM file, the fileornull (CAfile)
approach is simplest.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
