I think this issue is discussed many times here but not totally satisfying
for my case.
I'm a open ssl beginner and may be there is a little help out there.
I'm implementing a SSL client in delphi with client authentification. My
problem is to verifing then SSL server.
I've read the manual page at
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html and I think I
basically understand the way the verification works.
At this time I'm ignoring all errors in then VerifyCallback and only proof
then string of the company name in the peer certificate.
This is not not satisfying for me. On depth 0 OpenSSL passes a value of 1
for the preverify_ok parameter though the function
SSL_X509_STORE_CTX_GETERROR returns CERT_UNTRUSTED. The manual page says:
preverify_ok indicates, whether the verification of the certificate in
question was passed (preverify_ok=1) or not (preverify_ok=0).
Does passed mean passed and was ok? If not why I'm recieving preverify_ok =
0 on depth 1?
I think the peer cert can't be a trusted cert because Open SSL can't trust
the issuer certificate because Open SSL cant't find the
issuer cert locally. Is there a way to export the Verisign Class 3 cert from
my Explorer and store this in my client so the
issuer of the peer cert is trusted an also the peer cert?
Or is there a understandig problem on my side?
I'm using OpenSSL 0.9.5 a
Here's a log of SSL connection with my client:
SSL -> Connecting to xxx.xxx.xxx.xxx
SSL -> getting password
SSL -> SSL status: "before/connect initialization"
SSL -> SSL status: "before/connect initialization"
SSL -> SSL status: "SSLv3 write client hello A"
SSL -> SSL status: "SSLv3 read server hello A"
SSL -> - verifying peer cert start --
Depth: 1 Error: UNABLE_TO_GET_ISSUER_CERT_LOCALLY preverify_ok : 0
SSL -> not before: 17.04.1997 01:00:00
SSL -> not after: 08.01.2004 00:59:59
SSL -> verifying peer cert: issuer: /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority
SSL -> verifying peer cert: subject: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL -> - verifying peer cert end
SSL -> - verifying peer cert start --
Depth: 1 Error: INVALID_CA preverify_ok : 0
SSL -> verifying peer cert: not before: 17.04.1997 01:00:00
SSL -> verifying peer cert: not after: 08.01.2004 00:59:59
SSL -> verifying peer cert: issuer: /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority
SSL -> verifying peer cert: subject: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL -> - verifying peer cert end
SSL -> - verifying peer cert start --
Depth: 1 Error: CERT_UNTRUSTED preverify_ok : 0
SSL -> verifying peer cert: not before: 17.04.1997 01:00:00
SSL -> verifying peer cert: not after: 08.01.2004 00:59:59
SSL -> verifying peer cert: issuer: /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority
SSL -> verifying peer cert: subject: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL -> - verifying peer cert end
SSL -> - verifying peer cert start --
Depth: 0 Error: CERT_UNTRUSTED preverify_ok : 1
SSL -> verifying peer cert: not before: 21.01.2000 01:00:00
SSL -> verifying peer cert: not after: 21.01.2001 00:59:59
SSL -> verifying peer cert: issuer: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL -> verifying peer cert: subject:
/C=DE/ST=aGermanState/L=aGermanTown/O=aGermanCompany/OU=IT/OU=Terms of use
at www.verisign.com/RPA (c)99/CN=brokerage-mi1.consors.de
SSL -> - verifying peer cert end
SSL -> SSL status: "SSLv3 read server certificate A"
SSL -> SSL status: "SSLv3 read server certificate request A"
SSL -> SSL status: "SSLv3 read server done A"
SSL -> SSL status: "SSLv3 write client certificate A"
SSL -> SSL status: "SSLv3 write client key exchange A"
SSL -> SSL status: "SSLv3 write certificate verify A"
SSL -> SSL status: "SSLv3 write change cipher spec A"
SSL -> SSL status: "SSLv3 write finished A"
SSL -> SSL status: "SSLv3 flush data"
SSL -> SSL status: "SSLv3 read finished A"
SSL -> SSL status: "SSL negotiation finished successfully"
SSL -> SSL status: "SSL negotiation finished successfully"
SSL -> Connected.
Any help is very appreciated.
Thomas
__
OpenSSL Project http://www.openssl.org
User Support Mailing List