Once you locate the certs you need, you have to use
SSL_load_verify_locations.
You could create a PEM file and put into your cert and the issuer cert, so
you can pass this file as argument of the function before...
----- Original Message -----
From: "Dr S N Henson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, August 18, 2001 1:32 AM
Subject: Re: where to get trusted certificates
> Jürgen Nagler wrote:
> >
> > Hi all,
> >
> > everything I has done before with ssl worked out of a box (telnet with
> > ssl, https-pages viewed with Netscape, imaps with Messenger). But now I
> > have a client program using the c-client library which is capable of ssl
> > by openssl.
> >
> > Using the mtest program of c-client to connect via imaps to my
> > mailserver at university I get
> >
> > > %unable to get local issuer certificate:
/C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > > ?Can't establish SSL session to imap.rz.uni-ulm.de/imaps,993
> >
> > After many hours searching and the output of 'openssl c_client -connect
> > imap.rz.uni-ulm.de:993'
> >
> > > depth=0 /C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > > verify error:num=20:unable to get local issuer certificate
> > > verify return:1
> > > depth=0 /C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > > verify error:num=27:certificate not trusted
> > > verify return:1
> > > depth=0 /C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > > verify error:num=21:unable to verify the first certificate
> > > verify return:1
> > > ---
> > > Certificate chain
> > > 0 s:/C=DE/ST=Baden-Wuerttemberg/L=Ulm/O=Universitaet
> > > Ulm/OU=Universitaetsrechenzentrum/CN=imap.rz.uni-ulm.de
> > > i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
cc/OU=Certification Services
> > > Division/CN=Thawte Server [EMAIL PROTECTED]
> > > ---
> >
> > I am sure the error is the missing trusted certificate of
> > "/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
> > cc/OU=Certification Services Division/CN=Thawte Server
> > [EMAIL PROTECTED]".
> >
> > But how/where can I obtain it and how has it to be integrated. I
> > searched over 3 hours and haven't found any information about. And if
> > this is not possible, how can I start SSL secured connections to my
> > university server without it.
> >
>
> There are a few standard root certificates (which is what you need here)
> in the 'certs' directory of the OpenSSL distribution. It looks like the
> one you want is thawteCb.pem . How you add this to your applications
> trusted store varies, typically you'll either place it in a directory or
> add/create a file. There's info in the man pages showing how to do this
> for s_client.
>
> Steve.
> --
> Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
> Personal Email: [EMAIL PROTECTED]
> Senior crypto engineer, Celo Communications: http://www.celocom.com/
> Core developer of the OpenSSL project: http://www.openssl.org/
> Business Email: [EMAIL PROTECTED] PGP key: via homepage.
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
