The CA is the point of trust -- the "trust anchor". Since the server certificate is issued by the anchor, the client needs the anchor's certificate to be able to verify it.
If you want to bypass this, look at the definition of SSL_set_verify(). If your verification callback returns 0, the certificate is considered unverified. If it returns 1, the certificate is considered verified. It is YOUR code that must make this determination; usually this includes checking a local certificate store for a certificate with a CN= the FQDN of the server, and then seeing if the key used for the connection matches the one in that certificate. OpenSSL won't do this for you automatically if you don't have the server certificate's issuer's certificate on the client. You may regard it as a bug or a feature, but it's simply reporting that the issuer of the certificate has not been saved locally -- and thus, it is working as designed and working as intended. It's up to your callback code to figure out if it's a case where the verification can be considered to have passed. -Kyle H On Thu, Jul 3, 2008 at 1:39 AM, Konrad Kleine <[EMAIL PROTECTED]> wrote: > Hello, > > we are writing an client/server-application in C/C++ using OpenSSL. > > The communication works fine, but if we set the client to verify the > server's certificate (using "SSL_set_verify(ssl, SSL_VERIFY_PEER, > ourVerifyCallback);") we get the error: > > "unable to get local issuer certificate" which is explained here: > http://www.openssl.org/docs/apps/verify.html#item_20 > > Some background information on our Certificate hierarchy: We have a > custom, self-signed CA certificate and a Server certificate that is > directly signed by the CA certificate. Out certificate chain therefore > has a depth of 1. > > To solve the verification problem on client side, it works if we call this: > > SSL_CTX_load_verify_locations(sslContext, "PATH/TO/CA_FILE.pem", 0); > > That's fine, but is it possible to verify the server's certificate on > client side by specifying a whole directory or a perhaps the copy of the > server's certificate file directly? > > In our examples, verification fails if we don't specify a file that > contains the CA certificate among others. > > Thanks in advance > Konrad > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
