> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Saturday, 11 August, 2012 08:57
> I wondered if perhaps there were path or filename > specification problems > (need to escape backslashes? a problem with embedded spaces?) but I > eliminated all of those variables -- put the certificate with > a "simple" > name in the current path. > If the filename can't be opened SSL_CTX_load_verify_locations returns false. Your code does check for that, I hope. FWIW, the Windows *API* has no problem with space in filename (unlike some Windows *UIs*). And it actually accepts either slash or backslash separator (and sometimes slash is more convenient). > What do I look for? How do I get more granularity than > "unable to get local > issuer certificate"? > Top-level cut: do you get the same error (verify 20) with s_client? If so, the problem is either the cert or the truststore, and you're confident of the truststore. Make sure the description as self-signed (or at least self-issued) is correct, i.e. the Subject and Issuer names are *exactly* the same. If s_client works, the problem is almost certainly (say 99.9%) in your code. This reminds me of one possibility that came up with someone else a few weeks ago: if your self-signed cert has a KeyUsage extension that does not include certSign, OpenSSL skips it for chain-building, resulting in verify 20. If you look at the cert with the usual Windows tools (inetcpl, CryptExtOpenCER, mmc) you should be able to see if KeyUsage is present and if so what is in it, or you can use commandline openssl x509 -text. If neither of the above, you probably do need to debug, but: > I'm using a pre-built Windows distribution of OpenSSL 1.0.1c. > It will take > some re-arrangement to be able to trace into OpenSSL. > That's unfortunate. > 64-bit Windows, if that matters. > It shouldn't, but if there's a bug somewhere, it might. <snip previous> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
