On Tue, Sep 05, 2000 at 02:35:05PM -0400, [EMAIL PROTECTED] wrote:
> but I got these message:
>
> verify error:num=20:unable to get local issuer certificate
>
> verify error:num=27:certificate not trusted
>
> verify error:num=21:unable to verify the first certificate
>
> How can I verify the client certificate?
You don't verify it, openssl already does it for you :-)
At the time the callback was called, openssl (the x509 verify code to be
more precise) already performed the verify and it met 3 errors. With these
3 errors your callback was called and it had to decide what to do:
return "1" to continue the connection, return "0" to immediately shut down.
For a certificate to be ferified "X509_V_OK", no verify error must be
found. In your case, the peer did not send the CA certificate together
with its own certificate and the certificate itself is not in your list
of "trusted" CAs (which wouldn't make too much sense for a self signed
certificate anyway).
To solve your problems:
- Make sure the client sends the certificate of the CA that issued the client
certificate together with the client certificate.
For this to work either add the CA to the CAfile (see below) or use the
SSL_CTX_use_certificate_chain_file() function.
- Add the CA certifcate to your list of trusted CAs (check the -CAfile and
-CApath options to s_server.c to see how this is done.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
