> From: owner-openssl-us...@openssl.org On Behalf Of Brice André > Sent: Wednesday, 29 May, 2013 03:14
> I performed a test yesterday with the instruction > SSL_CTX_use_certificate_file(tx,path_to_file, SSL_FILETYPE_PEM); > replaced by > SSL_CTX_load_verify_locations(ctx, path_to_file, NULL); > > Where path_to_file points to my file "server.crt". The function > returns 1 so, I expect my certificate to be properly initialised. > To be exact, the client's trustore containing your cert. One possible problem here: _load_verify_ accepts a sequence of (PEM) certs, including zero, skipping any invalid format(s). Make sure the client's file is/contains an exact copy of the server's certfile, at least the lines from dash-BEGIN to dash-END, including eol (either NL or CRLF okay) after each line (including the dash-END line) and body lines not longer than 76 characters. If you copied the content by cut-and-paste or sending in an email or something like that, these sometimes go wrong. If you transferred the file using FTP or SCP or similar, they shouldn't. (FTP mode A may convert but not add/delete/move eols, and that is okay.) > But, whn I perform the connect, I get an error. The corresponding > error message is : > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > > After the connect failed, the function SSL_get_peer_certificate(ssl) > returns NULL and the function SSL_get_verify_result(ssl) returns 18 > (X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT), which is exactly the same > problem as before. > It should work and does for me, as long as the client CAfile is exactly the (selfsigned) cert the server is using; and you don't have KeyUsage excluding certSign, but that gives a different error. If it isn't damaged per above and you have commandline on the client try openssl s_client -connect host:port -CAfile same.server.crt.file and see what it says for Verify return code at the end of SSL-session (note s_client unlike a real app will proceed even if verify error). > My server is also printing an error message: > error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > That's consistent; if the client decides the server cert is bad, the client aborts the handshake with an alert like that. (The exact alert may vary SSL vs TLS, but always some alert.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
