verify status 18 (not strictly an openssl error) means that you (usually as a 
client)

received a cert chain (usually from the server) with a root cert that is not in 
your 

truststore. Yes, this is a slightly confusing error description for this case.

 

If the root cert used should be trusted, fix to use a truststore that contains 
it.

This has the following subcases:

 

- If you are currently not using any truststore, fix to use a good one.

 

- If you are currently using the wrong truststore, fix to use the right one.

 

- If you currently using the right truststore but it doesn’t contain this root 
cert,

  add this root cert to the truststore.

 

If the root cert being used should  NOT be trusted, fix the server to use a 
chain

from a CA that should be trusted. If openssl does not recognize THAT root,

return to the cases above.

 

To decide whether the root cert should be trusted, you may need to look at it.

This can be accomplished using openssl s_client –showcerts with a little work,

but if you are able to connect HTTPS to this server from a browser like IE or 
FF,

(1) that means the *browser* truststore *does* contain this root; if the 
browser 

store has not been modified this means MS or Mozilla respectively thinks 

this root is trustworthy, which is a pretty good reason to think you should;

(2) from the browser you can extract a copy of the cert to use with openssl.

 

 

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of sandhya reddy
Sent: Monday, October 06, 2014 04:19
To: openssl-users@openssl.org
Subject: Openssl err 18

 

I'm getting an openssl error 

Err:18 self signed certificate because of which not able to succeed with TLS 
handshake completion.

 

Any idea on what is to be done to get it fixed ?

Reply via email to