Hi, all.
To test my sample SSL client program, I created two different CA files
from two different linux machines.
One from the SSL server machine(With the CA.pl -newca command) - the
right one, and another one from the different machine(With the same
CA.pl -newca command) - the false on for the testing.
My purpose was to load these two different CA files into the remote
client program to see if the client code can determine there's an error
during the handshake when I ran the client code with the false one.
I used following two methods to verify the error:
if (!SSL_CTX_load_verify_locations(ctx,"cacert.pem",".")) {
printf("Error, no verification for CA!\n");
exit(5);
}
if (!SSL_CTX_set_options(ctx,SSL_VERIFY_PEER)) {
printf("Error. CERT Error!\n");
exit(6);
}
But surprisingly this client code worked fine with either CA files-
whether it is the right one or false one. :(
Okay, so I tried different approach.
Instead, I used following command and tested again(my_callback function
used in SSL_CTX_set_verify is just my own callback function that prints
out error message):
if (!SSL_CTX_load_verify_locations(ctx,"cacert.pem",".")) {
printf("Error, no verification for CA!\n");
exit(5);
}
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER,&my_callback);
printf("Error. CERT Error!\n");
exit(6);
}
At this time? Both of CA files caused to call 'my_callback' function
which shouldn't be called with the right CA file.
And error message was 'selfsigned certificate'.
Both of the CA files are causing same result!
Now it's very puzzling to me. What did I miss here?
I created CA files with the 'CA.pl -newca' command and didn't do any
other thing.
I'd very much appreicate it if you could help me on this.
Thanks in advance.
/Best Regards,
Sejin.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
