> -----Original Message-----
> From: sanjay reddy gogula [mailto:[EMAIL PROTECTED]]
> Sent: Monday, May 22, 2000 7:56 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: error set to X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
>
> Hi All,
>
> I am facing strange problems in authentication of server certificate.
>
> I have stored the certificate (the same one which I have installed on
> the server) in a file ( certificate is PEM format) .
Wrong. See below.
> I have
> loaded this
> certificate using:
>
> if ((!SSL_CTX_load_verify_locations(ssl_ctx,CAfile,CApath)) ||
> (!SSL_CTX_set_default_verify_paths(ssl_ctx)))
> {
> //Error
> }
>
> In the call back function verify_callback(), when
> X509_STORE_CTX_get_error() is used to get the error condition, error
> case that is indicated is
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.
> I could not understand the problem?
This is because the library is unable to get the issuer cert locally.
What SSL_CTX_set_verify() does is to get ready to verify the *signature* of
the peer's cert. In order to do that verification, you need the cert of the
*issuer* of the peer's cert. Which is why the args to
SSL_CTX_load_verify_locations() refers to "CAfile" and "CApath." That's
"Certificate Authority file" and "Certificate Authority path."
Get a copy of the PEM formatted CA cert from the *signer* of your server
cert and use that instead. It should work.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
