Re: openssl for self signed certificates
Hi , If there are no v3 extensions in the certificate, verify goes fine , If I add keyUsage , I get the below error . *X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE* But as per standard which I have follow for certficate generation , I have to create the certificate with these extensions . is there any way to disable that check using some ctx flag or do I need to comment check in the code ..? Rgds Indra
Re: openssl for self signed certificates
On 31-07-2013 08:22, Indtiny s wrote: Hi , Since openssl.1.0.1c doesn't support "ECDHE-ECDSA-AES128-CCM" cipher suite, I added this support in the openssl code. It works fine with ECC certificates which are not self-signed. When I process my ECC self-signed certificate, my webserver throughing "X5*/09_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"/*error during certificate verification. Attached is the ECC self signed certificate with "ECDHE-ECDSA-AES128-CCM" cipher suite. Pls throw some light to understand this problem . Well you have marked the certificate policy extension as critical, which means that validation must fail if the software doing the verification does not know that Smart Energy 2.2 policy and how to verify the certificate and its usage against its criteria. In contrast, not marking an extension as critical means that software is allowed to ignore it. So marking the well known "key usage" as critical ensures that any software too old to obey the restriction cannot use the certificate which is good. Marking your CPS as critical limits use of the certificate to software specially modified to recognize it. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssl for self signed certificates
Hi , Since openssl.1.0.1c doesn't support "ECDHE-ECDSA-AES128-CCM" cipher suite, I added this support in the openssl code. It works fine with ECC certificates which are not self-signed. When I process my ECC self-signed certificate, my webserver throughing "X5* 09_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE"* error during certificate verification. Attached is the ECC self signed certificate with "ECDHE-ECDSA-AES128-CCM" cipher suite. Pls throw some light to understand this problem . Rgds Indra Certificate: Data: Version: 3 (0x2) Serial Number: 3423928322 (0xcc150002) Signature Algorithm: ecdsa-with-SHA256 Issuer: O=XXX Self-Signed Client, CN=SS-Client CC150002 Validity Not Before: Mar 3 19:32:05 2013 GMT Not After : Mar 3 19:32:05 2016 GMT Subject: O=XXX Self-Signed Client, CN=SS-Client CC150002 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:66:13:1c:ac:34:d0:74:dc:cd:59:96:25:62:09: 02:a9:65:09:af:6a:0a:74:5b:40:65:38:cc:cf:34: b0:47:93:9f:80:3d:93:66:66:a9:dd:f1:7f:db:d7: 5b:2a:c5:fe:4b:97:d9:d4:51:50:e1:86:d2:2a:1e: 36:2d:59:31:fd ASN1 OID: prime256v1 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Agreement X509v3 Certificate Policies: critical Policy: 1.3.6.1.4.1.40732.2.2 Signature Algorithm: ecdsa-with-SHA256 30:46:02:21:00:df:b0:69:a9:d7:70:ae:d6:a3:a1:09:98:a6: c4:74:57:62:4b:0c:89:37:3a:b6:18:0d:cf:99:1d:79:09:cc: db:02:21:00:d3:7f:e6:1c:d2:2c:55:47:7c:41:fb:05:bc:28: 12:b1:0c:3e:f4:ff:2a:cf:a5:ad:a5:4c:33:56:2c:d4:8d:26
