At 11:34 AM 12/2/99 +0100, you wrote:
>On Thu, Dec 02, 1999 at 12:23:30PM +1100, James Darwin wrote:
>> Hi,
>>
>> I'm having trouble verifying the server's signing CA on my client. At init
>> time, the SSL_CTX_set_client_CA_list() seems to work okay - debugging shows
>> certs being loaded into the STACK - but then in my verify callback routine
>> (nsssl_verify_client_callback) I always get
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>>
>> Am I missing a step here? I'm using a verisign class 1 cert on the server,
>> and I have loaded verisgn class 1 (and 2 and 3) CA into
"nsssl_ca_cert_file".
>>
>> Any help would be more appreciated....
Hi Lutz, thanks for the response. I'm working on the first case below. You
were right, I did need to call SSL_CTX_load_verify_locations.
I'm now getting X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT in my verify routine,
using what I believe is a correct CA root? I signed the certificate I'm
using on the server with the openssl demoCA - both server certificate and
demo CA root certificates are text dumped at the end of this email.
What does this error mean? My CA root is incorrect, or error getting CA root??
Best Regards,
Jimmy
>I am not sure that I understood your question correctly:
>- You are working on the client part and want to verify the certificate
> presented by the server?
> Then you have to add the CA certificates using for the check using the
> SSL_CTX_load_verify_locations() call.
>- You are working on the server part and want to verify the client
> certificates?
> Then you need to add the CA certificates to check against using
> SSL_CTX_load_verify_locations(ctx, CAfile, CApath). If you don't do
anything
> else, the certificates included in CAfile are listed to the client as
> available for checking. You can however influence this list using the
> SSL_CTX_set_client_CA_list() call.
> (From memory, hopefully I got it right :-).
>
>Best regards,
> Lutz
>--
>Lutz Jaenicke [EMAIL PROTECTED]
>BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
>Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
>Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
>______________________________________________________________________
>OpenSSL Project http://www.openssl.org
>Development Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
apps@utopia>./openssl x509 -in /tmp/server_certificate.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 286 (0x11e)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=CS, CN=SSLeay demo server
Validity
Not Before: Dec 2 05:45:13 1999 GMT
Not After : Dec 1 05:45:13 2000 GMT
Subject: C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=test, CN=James
Darwin/Emai
[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c1:2a:ec:5a:33:9c:db:b4:da:3f:09:5d:d8:08:
1c:ec:80:13:f7:6a:f7:7f:0f:48:80:48:ea:39:30:
e8:a5:fd:bd:59:a4:39:f8:27:e1:33:96:6a:30:a6:
d0:73:34:0d:97:15:4b:d0:d3:14:ea:b7:c8:76:80:
7e:0b:ec:3f:bd:68:4e:c8:e2:97:67:1a:8f:bc:b6:
04:34:28:08:31:90:89:44:92:64:73:3f:c9:e0:6a:
76:b5:4b:11:22:6d:24:8b:e8:c3:2e:09:1b:4d:39:
44:2e:73:73:65:13:b9:aa:5f:15:23:28:77:1a:41:
9f:ae:29:7e:fc:94:f9:91:61
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C8:14:F0:48:CE:A2:DD:4D:C5:B1:9A:77:69:8D:A2:EE:2D:3C:75:B6
X509v3 Authority Key Identifier:
DirName:/C=AU/ST=QLD/CN=SSLeay/rsa test CA
serial:04
Signature Algorithm: md5WithRSAEncryption
3e:cd:d9:56:83:f8:c4:e1:ce:35:c7:f1:19:a3:4f:ec:7d:aa:
ca:61:98:91:f0:22:30:e9:5f:f9:5f:14:32:7b:5c:77:f6:a1:
fb:34:c4:13:f4:9f:54:9f:0b:2b:5f:14:f9:63:2d:50:07:28:
71:82:82:8e:ee:20:84:07:9e:84
-----BEGIN CERTIFICATE-----
MIICuzCCAmWgAwIBAgICAR4wDQYJKoZIhvcNAQEEBQAwYDELMAkGA1UEBhMCQVUx
DDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UE
CxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIHNlcnZlcjAeFw05OTEyMDIwNTQ1
MTNaFw0wMDEyMDEwNTQ1MTNaMH0xCzAJBgNVBAYTAkFVMQwwCgYDVQQIEwNRTEQx
GTAXBgNVBAoTEE1pbmNvbSBQdHkuIEx0ZC4xDTALBgNVBAsTBHRlc3QxFTATBgNV
BAMTDEphbWVzIERhcndpbjEfMB0GCSqGSIb3DQEJARYQamltbXlAZGFzY29tLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwSrsWjOc27TaPwld2Agc7IAT
92r3fw9IgEjqOTDopf29WaQ5+CfhM5ZqMKbQczQNlxVL0NMU6rfIdoB+C+w/vWhO
yOKXZxqPvLYENCgIMZCJRJJkcz/J4Gp2tUsRIm0ki+jDLgkbTTlELnNzZRO5ql8V
Iyh3GkGfril+/JT5kWECAwEAAaOBpzCBpDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIB
DQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUyBTw
SM6i3U3FsZp3aY2i7i08dbYwSgYDVR0jBEMwQaE8pDowODELMAkGA1UEBhMCQVUx
DDAKBgNVBAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBggEEMA0G
CSqGSIb3DQEBBAUAA0EAPs3ZVoP4xOHONcfxGaNP7H2qymGYkfAiMOlf+V8UMntc
d/ah+zTEE/SfVJ8LK18U+WMtUAcocYKCju4ghAeehA==
-----END CERTIFICATE-----
apps@utopia>./openssl x509 -in /tmp/roo_ca_certificate.pem -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 4 (0x4)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=AU, ST=QLD, CN=SSLeay/rsa test CA
Validity
Not Before: Oct 9 23:32:05 1995 GMT
Not After : Jul 5 23:32:05 1998 GMT
Subject: C=AU, ST=QLD, O=Mincom Pty. Ltd., OU=CS, CN=SSLeay demo
server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Modulus (512 bit):
00:b7:2c:25:dc:49:c5:ae:6b:43:c5:2e:41:c1:2e:
6d:95:7a:3a:a9:03:51:78:45:0f:2a:d1:58:d1:88:
f6:9f:8f:1f:d9:fd:a5:87:de:2a:5d:31:5b:ee:24:
66:bf:c0:55:db:fe:70:c5:2c:39:5f:5a:9f:a8:08:
fc:21:06:d5:4f
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
2b:34:5b:22:85:62:23:07:36:f4:0c:2b:14:d0:1b:cb:d9:bb:
d2:c0:9a:cf:12:a1:65:90:3a:b7:17:83:3a:10:6b:ad:2f:d6:
b1:11:c0:0d:5a:06:db:11:d0:2f:34:90:f5:76:61:26:a1:69:
f2:db:b3:e7:20:cb:3a:64:e6:41
-----BEGIN CERTIFICATE-----
MIIBgjCCASwCAQQwDQYJKoZIhvcNAQEEBQAwODELMAkGA1UEBhMCQVUxDDAKBgNV
BAgTA1FMRDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBMB4XDTk1MTAwOTIz
MzIwNVoXDTk4MDcwNTIzMzIwNVowYDELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
RDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UECxMCQ1MxGzAZBgNV
BAMTElNTTGVheSBkZW1vIHNlcnZlcjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3
LCXcScWua0PFLkHBLm2VejqpA1F4RQ8q0VjRiPafjx/Z/aWH3ipdMVvuJGa/wFXb
/nDFLDlfWp+oCPwhBtVPAgMBAAEwDQYJKoZIhvcNAQEEBQADQQArNFsihWIjBzb0
DCsU0BvL2bvSwJrPEqFlkDq3F4M6EGutL9axEcANWgbbEdAvNJD1dmEmoWny27Pn
IMs6ZOZB
-----END CERTIFICATE-----
----------------------------------------------------------
James Darwin http://www.dascom.com
Senior Software Engineer DASCOM Australia Pty Ltd.
[EMAIL PROTECTED] Bond University Australia.
----------------------------------------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
