Re: problem in TLS in easy_tls demo

Tue, 24 Jan 2006 23:32:31 -0800 

Praveen Jothi wrote:



The following is in the demo code.

 
r = SSL_CTX_load_verify_locations(ret,a.ca_file,NULL)
 
I am wondering if NULL is the right parameter to pass through for CA 
path ?



Yes, as the comment in my version (0.9.8a) says it just wont use a CA 
directory but will put all certs in a single CAFile (which is perfectly 
ok). In test.c around line 71 you can see that "cacerts.pem" is used as 
a CAFile.



But back to the beginning, now I checked the certificates. openssl x509 
-in cert.pem -noout -text gives the following:


Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 1 (0x1)
       Signature Algorithm: md5WithRSAEncryption
       Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
       Validity
           Not Before: May  1 01:26:35 1999 GMT
           Not After : May 31 01:26:35 1999 GMT
       Subject: C=DE, CN=Testserver
[... and some more ... ]


The only certificate in cacerts.pem is the following (openssl x509 -in 
cacerts.pem -noout -text):


Certificate:
   Data:
       Version: 1 (0x0)
       Serial Number: 0 (0x0)
       Signature Algorithm: md5WithRSAEncryption

       Issuer: C=AU, ST=Queensland, O=CryptSoft Pty Ltd, CN=Test PCA 
(1024 bit)

       Validity
           Not Before: Jun  9 13:57:43 1997 GMT
           Not After : Jun  9 13:57:43 2001 GMT

       Subject: C=AU, ST=Queensland, O=CryptSoft Pty Ltd, CN=Test CA 
(1024 bit)

[ ... etc ...]


So the issuer od the client cert ("C=AU, ST=Some-State, O=Internet 
Widgits Pty Ltd") can not be found in cacerts.pem (the only cert there 
is from "C=AU, ST=Queensland, O=CryptSoft Pty Ltd, CN=Test CA (1024 
bit)") and so the error message is correct (like always... ;)).



Obviously the certificates in this directory have been messed. If you 
generate your own CA, store the CA's self signed certificate in 
cacerts.pem and a generated client cert (including the private key) in 
cert.pem I guess the application will work.
I'll try to find the time this evening to generate a new (sensible) set 
of certificates for inclusion in the distribution.



 thank you very much.

 
regards,

Pjothi


Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature














    











					Reply via email to