Can you verify the client certificate using "openssl verify" with -CApath and -CAfile similar to what you have used in
SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) Does it work if you specify only the client cert and not the entire chain when using s_client? /Sandeep On Sat, May 28, 2011 at 12:18 AM, Mary Zhang <[email protected]>wrote: > Ziyu, please see my answers inline. > > Thanks! > > Mary > > 2011/5/27 Ziyu Liu <[email protected]> > >> >> At 2011-05-27 13:27:43,"Mary Zhang" <[email protected]> wrote: >> >> Thanks, Ziyu. >> >> >The certificate is ok. >> >In fact, openssl s_client using same test cert works fine against openssl >> >s_server, and if I put the intermediate CA into my SSL server's ca file, it >> >works as well. >> >> Did you attach the intermediate CA to your client certificate chain file? >> >> [Mary] Yeah, client cert file contains the whole chain. > >> >> >So the issue is that my SSL server is not building the cert chain >> >correctly to validate against the root ca. >> >And I'm not sure whether I missed some call/config to enable the cert >> >chain validation. >> >> There is no specific difference between cert or cert chain. >> What verification depth have you set? >> Have you set the same CN when generating the root CA and intermediate CA? >> >> [Mary] You mean for validation of cert or cert chain, there is no > difference in code: same code should work? > That's what I expected, but somehow it failed with chain case only. > >> The verification depth is set to 10 by default (previous other's code), I >> may double check that part. >> >> The root CA and intermediate CA have different CNs. And I used xca > to create them. > > >> You can test your server with the certifcates in my attachment. >> Structure: >> rootcert.pem signs servercert.pem,a intermediate cert which is in the >> clientchian.pem >> a intermediate cert signs the clientcert.pem. >> [Mary] Will try, but my test certs work fine with OpenSSL s_client and >> s_server, and so don't think the certs have issue. >> >> > >> Thanks! >> >> Mary >> >> 2011/5/26 Ziyu Liu <[email protected]> >> >>> Use the command 'openssl x509 -in serverCA.pem -text -noout' to check if >>> your certificate is generated ok.When you are goting to use the intermediate >>> CA , you must use X509 v3 extension. >>> Check if you have this content: >>> * X509v3 extensions: >>> X509v3 Basic Constraints: >>> CA:TRUE* >>> >>> >>> At 2011-05-27 06:53:04,"Mary Zhang" <[email protected]> wrote: >>> >>> Hi, >>> >>> I am using OpenSSL for a SSL server and "openssl s_client" to test it >>> with client auth required. >>> Self-sigend root cert is used for creating client certs, and the >>> self-signed root cert is added to SSL server's trusted ca file. >>> >>> It works fine when client cert has no chain, but if the client cert is >>> created by an intermediate ca which is signed by previous root ca, the SSL >>> server failed with unknown ca. >>> From the debug trace, looks like s_client sent the whole chain (the >>> client cert file contains the private key and the whole chain in PEM >>> format). >>> >>> I've thought that OpenSSL will automatically build the chain based on >>> what sent from client, and since the root ca is trusted, and it should work. >>> Am I wrong? Do I need get the client's cert chain and set to the SSL CTX >>> for validation? >>> >>> BTW, here are the functions used: >>> >>> SSL_CTX_new(SSLv23_method()); >>> >>> >>> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); >>> >>> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); >>> >>> >>> SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) >>> >>> SSL_CTX_use_certificate_chain_file(ctx, cert_fname) >>> >>> SSL_CTX_use_PrivateKey_file(ctx, cert_fname, SSL_FILETYPE_PEM) >>> >>> STACK_OF(X509_NAME) *ca_certs = SSL_load_client_CA_file((char >>> *)ca_fname); >>> >>> SSL_CTX_set_client_CA_list(ctx, ca_certs); >>> >>> >>> SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) >>> >>> >>> >>> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, >>> NULL); >>> >>> >>> SSL_CTX_set_verify_depth(ctx, _verify_depth); >>> >>> >>> Thank you very much! >>> >>> >>> Mary >>> >>> >>> >>> >>> >>> >> >> >> >
