Dave, Here's how it works as far as I understand: when the server wants to verify the client, it sends to the client the CAs that it accepts. And only if the client has certificates that are signed with the mentioned CAs they are sent back to server for verification purposes. The CAs that are sent from the server are defined in CAfile (not in CApath). So you need to specify them in order to get it work. I hope this helps. Regards, Ari Pirinen ------------------ Original message --------------------- I've been running some tests with the s_server app (OpenSSL 0.9.5). It's set to demand client authentication with the -Verify option, and I'm pointing to a directory of CA's using the -CApath parameter. Now, when a client (s_client, Netscape or IE) connects and offers a certificate that is signed by a CA that the server does not have a copy of, the connection is dropped with error 'X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY' (defined as 20), and has a text message of "unable to get local issuer certificate". I completely understand *why* s_server is reporting this error, and I know that I could take a copy of the client CA's certificate, and put it into the directory specified by -CApath, but is there a way to get the client process to include the CA certificate, i.e. send the complete certificate chain, not just client's certificate only (and therefore changing the error to "self signed certificate in chain".) ??? Hope that's clearer than mud. I did trawl the mailing list, but couldn't find an answer for this. TIA - Dave. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
