Re: [openssl.org #168] Ticket Resolved
Lutz, I read all the material you suggested and get the following error when I run verify with the -issuer_checks: error 29 at 0 depth lookup:subject issuer mismatch without the -issuer_checks, there is no error. I am still puzzled, since I see error:19 (that was origianaly reported) as being an error when running openssl s_client from the commandline. Am I overlooking something here? Jim - Original Message - From: Lutz Jaenicke via RT [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 29, 2002 6:24 AM Subject: [openssl.org #168] Ticket Resolved According to our records, your request has been resolved. If you have any further questions or concerns, please respond to this message. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #168] Ticket Resolved
On Mon, Jul 29, 2002 at 05:00:21PM +0200, Jim Beasley via RT wrote: I read all the material you suggested and get the following error when I run verify with the -issuer_checks: error 29 at 0 depth lookup:subject issuer mismatch without the -issuer_checks, there is no error. So you specify -CApath ... or -CAfile ... to specify the list of trusted CAs (or specify the self signed certificate itself). I am still puzzled, since I see error:19 (that was origianaly reported) as being an error when running openssl s_client from the commandline. Am I overlooking something here? So you do not give the same -CApath ... or -CAfile ... argument, do you? -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #168] Ticket Resolved
Lutz, The syntax I am using for the Verify follows: openssl verify -CApath /etc/httpd/ssl.crt -CAfile /etc/httpd/ssl.crt/ca-bundle.crt -purpose sslserver -verbose ssl.crt/server.crt The version for OpenSSL is 0.9.6b The server version is Apache/1.3.20 (Linux/SuSE) The server.crt is a super-cert from Thawte which we have just recently purchased. Jim - Original Message - From: Lutz Jaenicke via RT [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, July 29, 2002 8:10 AM Subject: Re: [openssl.org #168] Ticket Resolved On Mon, Jul 29, 2002 at 05:00:21PM +0200, Jim Beasley via RT wrote: I read all the material you suggested and get the following error when I run verify with the -issuer_checks: error 29 at 0 depth lookup:subject issuer mismatch without the -issuer_checks, there is no error. So you specify -CApath ... or -CAfile ... to specify the list of trusted CAs (or specify the self signed certificate itself). I am still puzzled, since I see error:19 (that was origianaly reported) as being an error when running openssl s_client from the commandline. Am I overlooking something here? So you do not give the same -CApath ... or -CAfile ... argument, do you? -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #168] Ticket Resolved
On Mon, Jul 29, 2002 at 05:41:20PM +0200, Jim Beasley via RT wrote: The syntax I am using for the Verify follows: openssl verify -CApath /etc/httpd/ssl.crt -CAfile /etc/httpd/ssl.crt/ca-bundle.crt -purpose sslserver -verbose ssl.crt/server.crt Yes, and it is working fine, isn't it? (the issuer_checks output is a warning, not an error) The server.crt is a super-cert from Thawte which we have just recently purchased. So when using openssl s_client, you also have to specify -CAfile ... -CApath... and it should work as well. -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #168] Ticket Resolved
On Mon, Jul 29, 2002, Jim Beasley via RT wrote: Lutz, I read all the material you suggested and get the following error when I run verify with the -issuer_checks: error 29 at 0 depth lookup:subject issuer mismatch without the -issuer_checks, there is no error. -issuer_checks is a debugging option which will give all manner of messages why it rejects certain certificates during the verify process. It is quite normal to have one or more messages like that when -issuer_checks is set. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]