Evan,
The third parameter to SSL_CTX_load_verify_locations() does not do what
you think. If you have one file with your root CA certificate, make that
filename the second parameter and leave the third NULL, as in
SSL_CTX_load_verify_locations(ctx,CERT_FILE, NULL)
see if that works any better.
_____________________________________
Greg Stark
Ethentica, Inc.
[EMAIL PROTECTED]
_____________________________________
----- Original Message -----
From: "Evan Cross" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 31, 2001 7:33 PM
Subject: server Certificate verification help!
> ok I'm still having problems with verifiying the servers
> certificate on the client side.
>
> heres what I have so far
>
> I created two certificates with openssl first for my CA and
> self signed it the the second for my server.
>
> the server certificate is what is sent to my client for
> verification.
>
> I have tried to load a copy of the Root CA's certificate so
> that the server cert is verified against it.
>
> I used the same verify_callback function as found in the
> SSL_CTX_set_verify man page and I keep getting unable to
> locate issuer certificate as an error until it drops out on
> the SSL_get_verify_result(ssl) error check.
>
> I've also had problems with SSL_CTX_load_verify_locations.
> This is when i have just specified the directory that
> contains the certs and nulled the next field for the
> certificate name. I was under the impression that it loaded
> any .pem file in that directory.
>
> test Code wise on the client I have the following
> ssl = SSL_new (ctx);
> CHK_NULL(ssl);
> SSL_set_fd (ssl, sd);
>
> if(!SSL_CTX_set_default_verify_paths(ctx)){
> fprintf(stderr,"error loading the verification
> environment[1]\n");
> // exit(0);
> }
> if(!SSL_CTX_load_verify_locations(ctx,NULL,CERT_FILE)){
>
> fprintf(stderr,"error loading the verification
> environment[2]\n");
> // exit(0);
>
> }
>
> mydata_index = SSL_get_ex_new_index(0, "mydata_index",
> NULL, NULL, NULL);
> SSL_CTX_set_verify(ctx,
> SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,verify_callback);
> SSL_CTX_set_verify_depth(ctx,verify_depth + 1);
>
> mydata.verify_depth = verify_depth;
> SSL_set_ex_data(ssl, mydata_index, &mydata);
>
> file://after setting cipher suites and then connecting
>
> server_cert = SSL_get_peer_certificate (ssl);
> CHK_NULL(server_cert);
> if(SSL_get_verify_result(ssl) != X509_V_OK){
>
> fprintf(stderr,"[Peer Certificate Verification Error]
> \n");
> exit(1);
>
> }
>
> file://remaining code
>
> I really need so help on this. I know that i've missed
> something im just hoping you guys can fill the blanks! or
> point out my screw ups!
>
> Cheers guys!!!
>
>
>
> Get your own zoom email - click here - http://www.zoom.co.uk/
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
