Re: [Users] Multiple CA

Fri, 10 Nov 2006 01:05:54 -0800 

Hi Gregoire!

Sorry for the late response - I was at the Openser Summit.
Regarding you problem: openser uses SSL_CTX_load_verify_locations(..) to load the CA. As the docs say (http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html) al the CAs in this file will be used: 

...
If CAfile is not NULL, it points to a file of CA certificates in PEM format. The file can contain several CA certificates identified by 

 -----BEGIN CERTIFICATE-----
 ... (CA certificate in base64 encoding) ...
 -----END CERTIFICATE-----
sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates. 
...



Thus, it should work out of the box. I will try it myself.

regards
klaus

Gregoire wrote:

Hi!
When a single CA is in the file, there is no problem. But when I put
multiple CAs, only the first one is taken. OpenSER doesn't care about
the others.

Greg
Klaus Darilion wrote:


Hi Greg!

I have not tested this, but from reading the openssl docs I had the
feeling that all the CAs in the ca-file will be used.

Is the CA the only one in the ca-file or are the multiple CAs in the
ca-file? Can you try if it works when using only a single CA in the
ca-file?

regards
klaus


On Sun, November 5, 2006 20:39, Gregoire said:

Hi everybody!

I am using OpenSER 1.1 with TLS.
I have generate the client and server certificate with the scripts
gen_rootCA.sh and gen_usercert.sh.
Everything works fine, but I have generate certificate for my UA with
another CA and I have added this CA to the file user-cacert.pem.
When I try to connect with my UA, OpenSER logs an error like:

"tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca"

My file user-cacert.pem looks like:
-------BEGIN CERTIFICATE------
MAOIposio.....
--------END CERTIFICATE--------
-------BEGIN CERTIFICATE------
MJ809il......
--------END CERTIFICATE--------

I think that OpenSER takes only the first CA certificate and not all the
followings.

Did someone have some experience with that case?

Regards

Greg

_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users









--
Klaus Darilion
nic.at


_______________________________________________
Users mailing list
[email protected]
http://openser.org/cgi-bin/mailman/listinfo/users

Reply via email to