Hi,
I'm writing a client application and I need to verify server
certificate. Using OpenSSL code as a template I ended with
verify_callbacki() from apps/s_cb.c. But I found up than no
matter what path and/or file are passed to SSL_CTX_set_locations()
(resp. no matter whether the CA cert is present in specified stores
or not), the verify_callback() function allways gets
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN error
and never X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT in ctx->error.
Using openssl binary (there are no certificates in /tmp):
$ openssl s_client -connect svti.feld.cvut.cz:443 -verify 3 -CApath /tmp
verify depth is 3
CONNECTED(00000003)
depth=1 /C=CZ/ST=Czech Republic/L=Prague/O=Czech Technical
University/OU=Faculty of Electrical Engineering/CN=CTU FEE
[EMAIL PROTECTED]
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 /C=CZ/ST=Czech Republic/L=Prague/O=Czech Technical
University/OU=Faculty of Electrical Engineering/CN=CTU FEE
[EMAIL PROTECTED]
verify return:1
depth=0 /C=cz/ST=Czech Republic/L=Prague/O=FEE CTU
Prague/OU=SIC/CN=felix.feld.cvut.cz
verify return:1
But doing the same with SSLeay-0.6.6:
$ ssleay s_client -host svti.feld.cvut.cz -port 443 -verify 3 -CApath /tmp
verify depth is 3
CONNECTED
depth=0 /C=cz/SP=Czech Republic/L=Prague/O=FEE CTU
Prague/OU=SIC/CN=felix.feld.cvut.cz
issuer= /C=CZ/SP=Czech Republic/L=Prague/O=Czech Technical
University/OU=Faculty of Electrical Engineering/CN=CTU FEE
[EMAIL PROTECTED]
verify error:num=11:unable to get issuer certificate
verify return:0
SSL_connect ERROR
verify error:unable to get issuer certificate
Did I miss something? Or what is the right way to verify
peer certificate?
Thank you
--
Milan Sova
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
