On Thu, Nov 30, 2006, Dan Ellis wrote: > Hello, > > I'm having trouble verifying peer certificates. > > I add my root certificate to the context's store using > X509_STORE_add_cert (and also give it to SSL_CTX_add_client_CA). My > server certificate chain is in a file, and I load the server certificate > from the file and build a temporary stack of the other certificates in > the chain, which I use, together with the context's store and a new > store context, to verify my server certificate using X509_verify_cert. > The verification is successful, so I add the certificates from the > temporary stack (two intermediates and the root) using > SSL_CTX_add_extra_chain_cert, and add the server certificate using > SSL_CTX_use_certificate. > > When I then receive a connection and try to verify the client > certificate, which has a chain ending with the same root certificate, it > fails on the root certificate from the chain the client supplied, and > consequently sends an 'unknown CA' fatal error back to the client. > > What's going on here? Why is my supplied CA certificate successfully > used when I verify the server certificate, but seemingly ignored when > verifying the client's certificate? >
Does the client CA chain include an intermediate certificate which is not being sent: so the server can't build the chain to verify it? Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
