Re: [twsocket] OpenSsl Verify bug?
Arno Garrels wrote: > RTT wrote: >> And you are sure the MyServerCert.pem is not, by mistake, self >> signed. > > Very sure. I misunderstood the purpose of the -untrusted switch completely. Its purpose is to add chain certificates not explicitly trusted. These certificates are used to build up the verify chain internally. For instance: #1 Root cert was in the TrustedCA.pem #2 Intermediate CA cert signed by #1 was NOT in TrustedCA.pem #3 Server cert to be verified signed by #2 You have to add #2 with -untrusted otherwise the verify chain cannot be completed. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] OpenSsl Verify bug?
RTT wrote: > And you are sure the MyServerCert.pem is not, by mistake, self > signed. Very sure. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] OpenSsl Verify bug?
Arno Garrels wrote: RTT wrote: Hi, What do you think about this verify result? D:\>openssl verify -CAfile TrustedCA.pem -untrusted MyServerCert.pem MyServerCert.pem MyServerCert.pem: OK TrustedCA.pem contains the issuer certs of MyServerCert.pem. If the TrustedCA.pem file contains the root CA, what happen if you add the -propose option? When -purpose isn't specified it defaults to "any". When I set, for example, "sslserver" it makes no difference. Seems like the untrusted certificates are ignored, same happens in my Delphi code as well. Just referenced that becuase the help say that "Without this option no chain verification will be done" so just testing to check if something in the code is being bypassed (i.e. checking list of untrusted certs) because of that. And you are sure the MyServerCert.pem is not, by mistake, self signed. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] OpenSsl Verify bug?
RTT wrote: >> Hi, >> >> What do you think about this verify result? >> D:\>openssl verify -CAfile TrustedCA.pem -untrusted MyServerCert.pem >> MyServerCert.pem MyServerCert.pem: OK >> >> TrustedCA.pem contains the issuer certs of MyServerCert.pem. >> > > If the TrustedCA.pem file contains the root CA, what happen if you add > the -propose option? When -purpose isn't specified it defaults to "any". When I set, for example, "sslserver" it makes no difference. Seems like the untrusted certificates are ignored, same happens in my Delphi code as well. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] OpenSsl Verify bug?
Hi, What do you think about this verify result? D:\>openssl verify -CAfile TrustedCA.pem -untrusted MyServerCert.pem MyServerCert.pem MyServerCert.pem: OK TrustedCA.pem contains the issuer certs of MyServerCert.pem. If the TrustedCA.pem file contains the root CA, what happen if you add the -propose option? -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be