Re: self signed cert - error : unknown CA
Good to see that the message had triggered
a nice discussion. Now things are clear.
Thanks for all.
Samy
Kyle Hamilton [EMAIL PROTECTED]
Sent by:
[EMAIL PROTECTED]
03.02.2006 03:27
Please respond to
openssl-users@openssl.org
To
openssl-users@openssl.org
cc
Subject
Re: self signed cert - error : unknown
CA
Classification
On 2/2/06, Alain Damiral [EMAIL PROTECTED]
wrote:
OK I understand.
By subsequent transactions I originally thought you meant during the
same session.
I apologize for diverting from the problem of the original poster.
Maybe I can redeem myself by pointing to the example callback function:
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
and suggest trying to use
http://www.openssl.org/docs/ssl/SSL_get_verify_result.html
then test for return value 18 = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
to deal with self signed certificates. Hope this is useful :)
static int my_verify_routine(int preverify, X509_CTX *certcontext)
{
assert(preverify == 1 || preverify == 0); // sanity check
to point
out bugs in openssl
if (preverify == 1) {
// If the certificate passes the verify checks, allow it
return 1;
}
switch (X509_STORE_CTX_get_error(certcontext)) {
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
return 1;
default:
return 0;
}
/*NOTREACHED*/
return 0;
}
[...]
SSL_CTX_set_verify(sslcontext, SSL_VERIFY_PEER | SSL_FAIL_IF_NO_PEER_CERT,
my_verify_routine);
[...]
if I understand how this is properly overridden with no additional
data stored in the SSL structure? (There's precious little
documentation on the X509_STORE_CTX functions -- this is partly
obtained from the sample code in SSL_CTX_set_verify(3) manpage.)
-Kyle H
__
OpenSSL Project
http://www.openssl.org
User Support Mailing List
openssl-users@openssl.org
Automated List Manager
[EMAIL PROTECTED]
self signed cert - error : unknown CA
Thanks konark. When I initialize my ctx i call the following functions.. # SSL_CTX_set_verify() with option SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT # SSL_CTX-set_client_CA_list( ctx, cafile) things are fine when the client request for a connection with a certificate signed by one of the listed CAs (in the cafile) For some reasons I also wish to accept self signed certs( user needs to decide to accept or not ). So when a client comes up with a self signed cert , the server reports ' unknown ca ' error. I understand that this is b'coz it is not signed by trusted CA. All i want to know is what needs to be done on server side to accept the self signed. I really appreciate ay kind of assistance. Thanks Samy Konark [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 02.02.2006 14:12 Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject RE: accepting self signed certs Classification Hi Samy, 1. If server ready to accept any unanimous certificate (certificate need not be verified by the any of the server trusted CA’s ) like your case self signed client certificate ,There is no point of asking client authentication. If server is requested for client authentication client should send certificate which must be issued by one of the server trusted CA’s. 2. Generally servers wont ask client authentication for general connection, when ever client request for some critical resources then trough renegotiation server Can ask client authentication . In this case client authentication is must it cant accept the self signed OR unanimous certificate. Regards, Konark 09342513592 *** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Samy Thiyagarajan Sent: Thursday, February 02, 2006 6:02 PM To: openssl-users@openssl.org Subject: accepting self signed certs hi.. My test server has a list of trusted CAs. Now i also want to accept connections requested by clients with self signed certificates. Any simple way to accept the self signed certs ? Thanks in advance. Samy
Re: self signed cert - error : unknown CA
For which reasons do you want to accept self signed certificates ?... I do not understand why deactivating client authentication as Konark suggested wouldn't be good enough. Samy Thiyagarajan wrote: Thanks konark. When I initialize my ctx i call the following functions.. # SSL_CTX_set_verify() with option SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT # SSL_CTX-set_client_CA_list( ctx, cafile) things are fine when the client request for a connection with a certificate signed by one of the listed CAs (in the cafile) For some reasons I also wish to accept self signed certs( user needs to decide to accept or not ). So when a client comes up with a self signed cert , the server reports ' unknown ca ' error. I understand that this is b'coz it is not signed by trusted CA. All i want to know is what needs to be done on server side to accept the self signed. I really appreciate ay kind of assistance. Thanks Samy -- Alain Damiral __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: self signed cert - error : unknown CA
Self-signed certificates are good for one thing, at least: They ensure that subsequent transactions are with the same entity (the same keypair is used), even if no other piece of data in the certificate is trustworthy. There is a callback that you can set for the trust verification function, as the third parameter to SSL_[CTX_]set_verify(). See the man page for it for details. -Kyle H On 2/2/06, Alain Damiral [EMAIL PROTECTED] wrote: For which reasons do you want to accept self signed certificates ?... I do not understand why deactivating client authentication as Konark suggested wouldn't be good enough. Samy Thiyagarajan wrote: Thanks konark. When I initialize my ctx i call the following functions.. # SSL_CTX_set_verify() with option SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT # SSL_CTX-set_client_CA_list( ctx, cafile) things are fine when the client request for a connection with a certificate signed by one of the listed CAs (in the cafile) For some reasons I also wish to accept self signed certs( user needs to decide to accept or not ). So when a client comes up with a self signed cert , the server reports ' unknown ca ' error. I understand that this is b'coz it is not signed by trusted CA. All i want to know is what needs to be done on server side to accept the self signed. I really appreciate ay kind of assistance. Thanks Samy -- Alain Damiral __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: self signed cert - error : unknown CA
Kyle Hamilton wrote: Self-signed certificates are good for one thing, at least: They ensure that subsequent transactions are with the same entity (the same keypair is used), even if no other piece of data in the certificate is trustworthy. Doesn't Diffie-Hellman key exchange ensure that this is true even with no certificate authentication at all ? (Maybe not with a null cipher ?) -- Alain Damiral __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: self signed cert - error : unknown CA
One needs to call a verify call back and set an appropriate return code. The server might well accept things and give a temporary and lmimitred access, the self signed cert can be stored, an admin validates, etc. It can also be that the server is actually a person that accepts or not.. Alain Damiral wrote: For which reasons do you want to accept self signed certificates ?... I do not understand why deactivating client authentication as Konark suggested wouldn't be good enough. Samy Thiyagarajan wrote: Thanks konark. When I initialize my ctx i call the following functions.. # SSL_CTX_set_verify() with option SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT # SSL_CTX-set_client_CA_list( ctx, cafile) things are fine when the client request for a connection with a certificate signed by one of the listed CAs (in the cafile) For some reasons I also wish to accept self signed certs( user needs to decide to accept or not ). So when a client comes up with a self signed cert , the server reports ' unknown ca ' error. I understand that this is b'coz it is not signed by trusted CA. All i want to know is what needs to be done on server side to accept the self signed. I really appreciate ay kind of assistance. Thanks Samy -- To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME Cryptographic Signature
Re: self signed cert - error : unknown CA
Diffie-Hellman key exchange is a means of creating a session key in a manner that's not easily reversible by an eavesdropper, not a means of authentication. The public/private keypair is the only means of authenticating an anonymous third party as being that specific anonymous third party, and not some interloper. (See the Freenet project for an example of this.) You could, theoretically, use it as a means of authentication IF and ONLY IF the public key stayed the same. Generally, though, it's a random large number. (This is why DH requires a certificate, where EDH doesn't -- EDH is random, where DH uses a public key that requires [in the context of SSL] an X.509 certification.) On 2/2/06, Alain Damiral [EMAIL PROTECTED] wrote: Kyle Hamilton wrote: Self-signed certificates are good for one thing, at least: They ensure that subsequent transactions are with the same entity (the same keypair is used), even if no other piece of data in the certificate is trustworthy. Doesn't Diffie-Hellman key exchange ensure that this is true even with no certificate authentication at all ? (Maybe not with a null cipher ?) -- Alain Damiral __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: self signed cert - error : unknown CA
OK I understand. By subsequent transactions I originally thought you meant during the same session. I apologize for diverting from the problem of the original poster. Maybe I can redeem myself by pointing to the example callback function: http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html and suggest trying to use http://www.openssl.org/docs/ssl/SSL_get_verify_result.html then test for return value 18 = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT to deal with self signed certificates. Hope this is useful :) Kyle Hamilton wrote: Diffie-Hellman key exchange is a means of creating a session key in a manner that's not easily reversible by an eavesdropper, not a means of authentication. The public/private keypair is the only means of authenticating an anonymous third party as being that specific anonymous third party, and not some interloper. (See the Freenet project for an example of this.) You could, theoretically, use it as a means of authentication IF and ONLY IF the public key stayed the same. Generally, though, it's a random large number. (This is why DH requires a certificate, where EDH doesn't -- EDH is random, where DH uses a public key that requires [in the context of SSL] an X.509 certification.) On 2/2/06, Alain Damiral [EMAIL PROTECTED] wrote: Doesn't Diffie-Hellman key exchange ensure that this is true even with no certificate authentication at all ? (Maybe not with a null cipher ?) -- Alain Damiral -- Alain Damiral __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: self signed cert - error : unknown CA
On 2/2/06, Alain Damiral [EMAIL PROTECTED] wrote:
OK I understand.
By subsequent transactions I originally thought you meant during the
same session.
I apologize for diverting from the problem of the original poster.
Maybe I can redeem myself by pointing to the example callback function:
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
and suggest trying to use
http://www.openssl.org/docs/ssl/SSL_get_verify_result.html
then test for return value 18 = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
to deal with self signed certificates. Hope this is useful :)
static int my_verify_routine(int preverify, X509_CTX *certcontext)
{
assert(preverify == 1 || preverify == 0); // sanity check to point
out bugs in openssl
if (preverify == 1) {
// If the certificate passes the verify checks, allow it
return 1;
}
switch (X509_STORE_CTX_get_error(certcontext)) {
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
return 1;
default:
return 0;
}
/*NOTREACHED*/
return 0;
}
[...]
SSL_CTX_set_verify(sslcontext, SSL_VERIFY_PEER | SSL_FAIL_IF_NO_PEER_CERT,
my_verify_routine);
[...]
if I understand how this is properly overridden with no additional
data stored in the SSL structure? (There's precious little
documentation on the X509_STORE_CTX functions -- this is partly
obtained from the sample code in SSL_CTX_set_verify(3) manpage.)
-Kyle H
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
error : unknown ca :(
hi all.. I got stuck up with the following error.. client : error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 'verify ' command returns OK ( for both options -CApath , -CAfile ) ** when i tested s_client (with the same certificates and CA path )against s_server ( with -Verify option ).. it successfully communicates.. !! But still my client report the above mentioned error when I test with my server programm. If i hav some bug in my server prog..is the error message is misleading..? Some assistance HIGHLY appreciated..
Re: error : unknown ca :(
On Wed, Jan 11, 2006, Samy Thiyagarajan wrote: hi all.. I got stuck up with the following error.. client : error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 'verify ' command returns OK ( for both options -CApath , -CAfile ) ** when i tested s_client (with the same certificates and CA path )against s_server ( with -Verify option ).. it successfully communicates.. !! But still my client report the above mentioned error when I test with my server programm. If i hav some bug in my server prog..is the error message is misleading..? Some assistance HIGHLY appreciated.. That message means the server cannot verify the client certificate being sent to it. You need to trust the client certificate root CA and make sure any intermediate certificates are included by the client. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
