George Staikos wrote:
>
> On Thursday 26 July 2001 14:15, Dr S N Henson wrote:
>
>
> > Wrt the verify "problem" what errors do you get and what command line
> > options are you using?
>
> openssl verify -CAfile ca-cert-bundle.pem ibm.pem
>
> All the problem certificates say "unable to load certificate file". If I
> try to verify the certificate during the SSL negotiation phase in Konqueror,
> it says "Issuer is unknown or invalid". Now I'm using the exact cert7.db
> that netscape has and it doesn't have this problem.
>
The PEM files have an extra blank line which is causing problems.
In fact I can verify the one of the sites, I presume it is
www.wellsfargo.com with no problems using the command line:
openssl s_client -connect www.wellsfargo.com:443 -CAfile
certs/vsign3.pem
vsign3.pem is in the standard OpenSSL distribution.
>
> > which isn't in the archive at all. You can however get it from the site
> > using the -showcerts option to s_client but you shouldn't really need it
> > because OpenSSL now supports chain verification.
>
> Does netscape do this? I tried straceing netscape and didn't see it get
> this file to my knowledge. (perhaps I missed it somehow)
>
The normal SSL negotiation will include the server (or client)
certifiate chain possibly minus the root. Therefore the only certificate
you need to trust are root CAs if the server is correctly configured.
Netscape does something similar.
> Do I need to be using X509_STORE_CTX_trusted_stack or "issuer checks" as I
> see in verify.c in order to make this work? Right now I just do
> X509_STORE_add_lookup(mycertfile, X509_LOOKUP_file());, then init the store
> and do X509_verify_cert(). Only these two issuers are causing problems for
> me right now. All others seem to work just fine.
>
No, what you're doing should be fine provided you have the correct root
CAs.
>
> As a followup, I think I have found some new important information. I
> switched to using SSLv3 instead of v2 and now I get a long chain of
> certificates that look like they will allow me to verify the certificate.
> Does this mean it's the server's fault for only giving the top certificate in
> a chain when only SSLv2 is enabled? How is this ever supposed to work?
>
Ah, now SSLv2 can only send the server certificate and not the whole
chain. Therefore you have to include all the other certificates in the
chain in the trusted CA file. You can extract the intermediate CA using
an SSLv3 connection and -showcerts and use that if you really need
SSLv2.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
