Hello Jakob, All commands described in my mail are executed from the client.
I only try to perform server authentication by certificate, and my problem is that the client is not able to perform this authentication. I think that my server code is ok (but I may be wrong). On the server side, the private key and certificate are initialised as follows: SSL_CTX_use_PrivateKey_file(ctx, "server.key", SSL_FILETYPE_PEM) SSL_CTX_use_certificate_file(ctx, "server.crt", SSL_FILETYPE_PEM) All commands return proper exit code and I added the following call to check if everything is properly initialised : SSL_CTX_check_private_key(ctx) And it also returns proper exit code. Regards, Brice 2013/5/29 Jakob Bohm <jb-open...@wisemo.com>: > Hello, > > Just a little hint: > > Your questions would be much clear if you state, at each step, > which end of the connection each thing applies to, like at what > end did you call SSL_CTX_load_verify_locations, at what end did > you get which error messages etc. > > I suspect this may be the cause of some confusion here. > > > On 5/29/2013 9:14 AM, Brice André wrote: >> >> Hello Dave, >> >> Once again, thanks for your help. >> >> I performed a test yesterday with the instruction >> SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM); >> replaced by >> SSL_CTX_load_verify_locations(ctx, path_to_file, NULL); >> >> Where path_to_file points to my file "server.crt". The function >> returns 1 so, I expect my certificate to be properly initialised. >> >> But, whn I perform the connect, I get an error. The corresponding >> error message is : >> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate >> verify failed >> >> After the connect failed, the function SSL_get_peer_certificate(ssl) >> returns NULL and the function SSL_get_verify_result(ssl) returns 18 >> (X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT), which is exactly the same >> problem as before. >> >> My server is also printing an error message: >> error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca >> >> Regards, >> Brice >> >> 2013/5/28 Dave Thompson <dthomp...@prinpay.com>: >>>> >>>> From: owner-openssl-us...@openssl.org On Behalf Of Brice André >>>> Sent: Monday, 27 May, 2013 23:45 >>> >>> >>>> You are right, I am using a self-signed certificate for use by my >>>> server. In fact, I do not perform client authentication in my >>>> application : only the server shall be authentified by ssl. The client >>>> is authentified by another mechanism. >>>> >>>> Here are how I generate my RSA key and my certificate: >>>> >>>> openssl genrsa -des -out server.key 2048 >>>> openssl req -new -key server.key -out server.csr >>>> openssl x509 -req -days 20000 -in server.csr -signkey >>>> server.key -out server.crt >>>> >>> Asides: you could combine those: >>> req -new -newkey rsa:2048 replaces genrsa >>> req -new -x509 replaces x509 -signkey >>> but the way you have it works. >>> Also, 54+ years is a pretty long period! >>> >>>> The only file that I transmit to my client is server.crt. >>>> >>> Good. >>> >>>> I think that all those files are OK because, on the server side, once >>>> everything is initialised, the command SSL_CTX_check_private_key is >>>> happy with it. >>>> >>>> In order to initialise the truststore of my client, I copy the >>>> server.crt file somewhere, and I execute the following command : >>>> >>>> SSL_CTX_use_certificate_file(ctx,path_to_file, SSL_FILETYPE_PEM); >>>> >>> Bad. That attempts to use the cert as the *client's* cert, which >>> has no effect because you didn't give the client the privatekey, >>> and rightly (the client shouldn't have the server's privatekey, >>> and you say you don't want ssl-level client-auth anyway). >>> >>>> Do I have to generate another file ? Or do I have to perform another >>>> configuration in my client ? >>>> >>> There are two "standard" ways to set up a truststore for openssl lib, >>> in your case the client's truststore to trust the server. >>> >>> SSL_CTX_load_verify_locations (ctx, fileornull, pathornull) >>> tells openssl to use the (selfsigned root and/or EE) certs >>> concatenated in one PEM file named by fileornull if not null, >>> and/or stored in individual PEM files using the subjecthash >>> for link or name in directory pathornull if not null. >>> >>> SSL_CTX_set_default_verify_paths (ctx) does something similar but >>> using environment-variable settings or compiled default values >>> for the file and/or path, usually "systemwide" places (for all >>> apps on the system) something like /etc/openssl/cert.pem and >>> /etc/openssl/certdir . >>> >>> Most of the commandline utilities allow you to specify -CAfile >>> and/or -CApath for the first way, or default to the second way. >>> Since you have one cert in one PEM file, the fileornull (CAfile) >>> approach is simplest. > > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com > Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org