AW: verify_callback - server verification

2000-11-01 Thread Thomas Geller 

First of all thank you Lutz for your help.

> The result at depth 0 says, that the certificate at level 0 is
consistently
> signed from its CA. The CA itself (at level 1) however failed verification
> for several reasons.
> The preverify_ok state only indicates whether the certificate at the
> actual depth passed or not. It does not say anything about other levels.
> As you have already seen, the overall result of the verification is
> CERT_UNTRUSTED, as at least one error occured.

I see, the preverify_ok value at depth 0 is 1. That means the peer cert was
passed. But the CA cert on level 1 wasn't passed because the preverify_ok
value at this depth is 0.
But what are the several reasons of the error at depth 0?

Confusing for me is the fact, that X509_STOR_CTX_GET_CURRENT_CERT at depth 1
is returning a cert though then preverify_ok value at this depth is 0
(wasn't passed).

How can I achieve the goal to proof without doubt that the server I'm
connected with is the one I've expected?

Maybe you can give me one more hint.

Regards,

Thomas

Thomas Geller   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

verify_callback - server verification

2000-10-31 Thread Thomas Geller 


I think this issue is discussed many times here but not totally satisfying
for my case.
I'm a open ssl beginner and may be there is a little help out there.
I'm implementing a SSL client in delphi with client authentification. My
problem is to verifing then SSL server.
I've read the manual page at
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html and I think I
basically understand the way the verification works.
At this time I'm ignoring all errors in then VerifyCallback and only proof
then string of the company name in the peer certificate.
This is not not satisfying for me. On depth 0 OpenSSL passes a value of 1
for the preverify_ok parameter though the function
SSL_X509_STORE_CTX_GETERROR returns CERT_UNTRUSTED. The manual page says:

preverify_ok indicates, whether the verification of the certificate in
question was passed (preverify_ok=1) or not (preverify_ok=0).

Does passed mean passed and was ok? If not why I'm recieving preverify_ok =
0 on depth 1?

I think the peer cert can't be a trusted cert because Open SSL can't trust
the issuer certificate because Open SSL cant't find the
issuer cert locally. Is there a way to export the Verisign Class 3 cert from
my Explorer and store this in my client so the
issuer of the peer cert is trusted an also the peer cert?

Or is there a understandig problem on my side?


I'm using OpenSSL 0.9.5 a
Here's a log of SSL connection with my client:

SSL  -> Connecting to xxx.xxx.xxx.xxx
SSL  -> getting password
SSL  -> SSL status: "before/connect initialization"
SSL  -> SSL status: "before/connect initialization"
SSL  -> SSL status: "SSLv3 write client hello A"
SSL  -> SSL status: "SSLv3 read server hello A"
SSL  -> - verifying peer cert start --
Depth: 1 Error: UNABLE_TO_GET_ISSUER_CERT_LOCALLY preverify_ok : 0
SSL  -> not before: 17.04.1997 01:00:00
SSL  -> not after: 08.01.2004 00:59:59
SSL  -> verifying peer cert: issuer: /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority
SSL  -> verifying peer cert: subject: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL  -> - verifying peer cert end 
SSL  -> - verifying peer cert start --
Depth: 1 Error: INVALID_CA preverify_ok : 0
SSL  -> verifying peer cert: not before: 17.04.1997 01:00:00
SSL  -> verifying peer cert: not after: 08.01.2004 00:59:59
SSL  -> verifying peer cert: issuer: /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority
SSL  -> verifying peer cert: subject: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL  -> - verifying peer cert end 
SSL  -> - verifying peer cert start --
Depth: 1 Error: CERT_UNTRUSTED preverify_ok : 0
SSL  -> verifying peer cert: not before: 17.04.1997 01:00:00
SSL  -> verifying peer cert: not after: 08.01.2004 00:59:59
SSL  -> verifying peer cert: issuer: /C=US/O=VeriSign, Inc./OU=Class 3
Public Primary Certification Authority
SSL  -> verifying peer cert: subject: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL  -> - verifying peer cert end 
SSL  -> - verifying peer cert start --
Depth: 0 Error: CERT_UNTRUSTED preverify_ok : 1
SSL  -> verifying peer cert: not before: 21.01.2000 01:00:00
SSL  -> verifying peer cert: not after: 21.01.2001 00:59:59
SSL  -> verifying peer cert: issuer: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS
Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
SSL  -> verifying peer cert: subject:
/C=DE/ST=aGermanState/L=aGermanTown/O=aGermanCompany/OU=IT/OU=Terms of use
at  www.verisign.com/RPA (c)99/CN=brokerage-mi1.consors.de
SSL  -> - verifying peer cert end 
SSL  -> SSL status: "SSLv3 read server certificate A"
SSL  -> SSL status: "SSLv3 read server certificate request A"
SSL  -> SSL status: "SSLv3 read server done A"
SSL  -> SSL status: "SSLv3 write client certificate A"
SSL  -> SSL status: "SSLv3 write client key exchange A"
SSL  -> SSL status: "SSLv3 write certificate verify A"
SSL  -> SSL status: "SSLv3 write change cipher spec A"
SSL  -> SSL status: "SSLv3 write finished A"
SSL  -> SSL status: "SSLv3 flush data"
SSL  -> SSL status: "SSLv3 read finished A"
SSL  -> SSL status: "SSL negotiation finished successfully"
SSL  -> SSL status: "SSL negotiation finished successfully"
SSL  -> Connected.

Any help is very appreciated.

Thomas

__
OpenSSL Project http://www.openssl.org
User Support Mailing List