Thanks, Ziyu. The certificate is ok. In fact, openssl s_client using same test cert works fine against openssl s_server, and if I put the intermediate CA into my SSL server's ca file, it works as well. So the issue is that my SSL server is not building the cert chain correctly to validate against the root ca. And I'm not sure whether I missed some call/config to enable the cert chain validation.
Thanks! Mary 2011/5/26 Ziyu Liu <[email protected]> > Use the command 'openssl x509 -in serverCA.pem -text -noout' to check if > your certificate is generated ok.When you are goting to use the intermediate > CA , you must use X509 v3 extension. > Check if you have this content: > * X509v3 extensions: > X509v3 Basic Constraints: > CA:TRUE* > > > At 2011-05-27 06:53:04,"Mary Zhang" <[email protected]> wrote: > > Hi, > > I am using OpenSSL for a SSL server and "openssl s_client" to test it with > client auth required. > Self-sigend root cert is used for creating client certs, and the > self-signed root cert is added to SSL server's trusted ca file. > > It works fine when client cert has no chain, but if the client cert is > created by an intermediate ca which is signed by previous root ca, the SSL > server failed with unknown ca. > From the debug trace, looks like s_client sent the whole chain (the client > cert file contains the private key and the whole chain in PEM format). > > I've thought that OpenSSL will automatically build the chain based on what > sent from client, and since the root ca is trusted, and it should work. > Am I wrong? Do I need get the client's cert chain and set to the SSL CTX > for validation? > > BTW, here are the functions used: > > SSL_CTX_new(SSLv23_method()); > > > SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); > > SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); > > > SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) > > SSL_CTX_use_certificate_chain_file(ctx, cert_fname) > > SSL_CTX_use_PrivateKey_file(ctx, cert_fname, SSL_FILETYPE_PEM) > > STACK_OF(X509_NAME) *ca_certs = SSL_load_client_CA_file((char*)ca_fname); > > SSL_CTX_set_client_CA_list(ctx, ca_certs); > > > SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) > > > > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, > NULL); > > > SSL_CTX_set_verify_depth(ctx, _verify_depth); > > > Thank you very much! > > > Mary > > > > > >
