Hello Dave, Thank you for your answer.
You are right, I am using a self-signed certificate for use by my server. In fact, I do not perform client authentication in my application : only the server shall be authentified by ssl. The client is authentified by another mechanism. Here are how I generate my RSA key and my certificate: openssl genrsa -des -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -days 20000 -in server.csr -signkey server.key -out server.crt The only file that I transmit to my client is server.crt. I think that all those files are OK because, on the server side, once everything is initialised, the command SSL_CTX_check_private_key is happy with it. In order to initialise the truststore of my client, I copy the server.crt file somewhere, and I execute the following command : SSL_CTX_use_certificate_file(ctx,path_to_file, SSL_FILETYPE_PEM); Do I have to generate another file ? Or do I have to perform another configuration in my client ? Regards, Brice 2013/5/28 Dave Thompson <dthomp...@prinpay.com>: >> From: owner-openssl-us...@openssl.org On Behalf Of Brice André >> Sent: Monday, 27 May, 2013 14:48 > >> I am writing a client-server application <snip> I plan to >> generate my self-signed certificate and to embed it in my client. >> > To be clear, a self-signed cert for (used by) the server. > A self-signed cert for the client would be different, but > client-auth is rarely used and I expect you would have said so. > >> Now, my problem is that, when I configure openssl to check the peer >> certificate, with the SSL_set_verify command and the SSL_VERIFY_PEER >> option, I get the error X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT when >> handshaking the connection on the client side. >> >> My understanding of this error is that, by default, open-ssl is not >> accepting self-signed certificates. >> > Are you setting up the client truststore, and how? By default > openssl doesn't trust *any* peer cert, self-signed or not. > If you are setting up truststore, you aren't doing it right. > >> So, my question is how can I configure open-ssl to accept self-signed >> certificates ? >> > Put a self-signed entity cert, like a CA root (also self-signed), > in the (client's) truststore using _default_verify_paths, > _load_verify_locations, or "by hand", as applicable. > > One gotcha specific to self-signed EE certs at least in openssl: > if the KeyUsage extension is present it must include CertSign (in > addition to digSign and maybe keyEnc needed in a CA-issued EE cert). > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
