Hello Marek, Bernhard, Thank you for your help. I will try SS_CTX_set_verify(). Thank you once again.
~ Urjit ----- Original Message ----- From: "Marek Marcola" <[EMAIL PROTECTED]> To: <openssl-users@openssl.org> Sent: Tuesday, February 13, 2007 4:36 PM Subject: Re: My ssl client connects without the knowledge of root CAcertificate > Hello, > > Could someone help me understand what is happening here? > > > > ~ Urjit > > > > ----- Original Message ----- > > From: "Urjit Gokhale" <[EMAIL PROTECTED]> > > To: <openssl-users@openssl.org> > > Sent: Thursday, January 18, 2007 9:13 PM > > Subject: Re: My ssl client connects without the knowledge of root CA > > certificate > > > > > > > No. > > > The function call sequence in the client goes like: > > > SSL_load_error_strings() > > > SSL_library_init() > > > SSL_CTX_new() > > > SSL_new() > > > SSL_set_cipher_list() > > > SSL_set_fd() > > > SSL_connect() > > > and then the client continues with SSL_read() and SSL_write(). > > > > > > I still wonder how my client manages to do a successful SSL_connect! > > > Anyway, thanks for the reply, > This may depend on negotiated cipher (anonymous for example). > But if (for example) you use RSA then certificate sent from > server to client (for encryption of pre_master_secret) is > not verified by default. It is just used. > (Server proves having right private key by proper decryption > of pre_master_key). > > > > Do you use: > > > > > > SSL_CTX_set_verify (sslctx, SSL_VERIFY_PEER | > > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); > > > If not it is probably the solution ;) > > > > > > Alexis > For client SSL_CTX_set_verify (sslctx, SSL_VERIFY_PEER, NULL) > should be enough. > > Best regards, > -- > Marek Marcola <[EMAIL PROTECTED]> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]