SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Wed, 16 Jan 2002 08:32:05 -0800 

Hello!

I have a simple webserver running HTTPS. It works fine with Navigator,
which leads me to believe that the problem is on my client side.

To init the SSL_CTX I do:

  if (SSL_CTX_load_verify_locations(*ssl_ctx, cafile, capath) == 0) {
  }
  if(SSL_CTX_use_certificate_file(*ssl_ctx, certfile, SSL_FILETYPE_PEM)
== 0) {
  }
  if (SSL_CTX_use_PrivateKey_file(*ssl_ctx, keyfile, SSL_FILETYPE_PEM)
== 0) {
  }
  if (SSL_CTX_check_private_key(*ssl_ctx) == 0) {
  }
  if (SSL_CTX_set_session_id_context(*ssl_ctx, NET_SESSION_ID_CONTEXT, 
                                     strlen(NET_SESSION_ID_CONTEXT)) == 0) {
  }    
  if (SSL_CTX_set_default_verify_paths(*ssl_ctx) == 0) {
  }
  SSL_CTX_set_verify(*ssl_ctx, SSL_VERIFY_NONE, NULL);


Then to init the client side ssl I do:

  ssl = SSL_new(ssl_ctx);
  if (ssl == NULL) {
  }

  /* Override setting from ssl_ctx created in NET_ssl_ctx_new.
     Verify the client peer. */
  SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);

  if (SSL_set_fd(ssl, fd) == 0) {
  }
  /* TODO: This can be improved to handle the case SSL_connect(ssl) ==
     1 nicely */
  if (SSL_connect(ssl) < 0) {
  }
  *client_cert = SSL_get_peer_certificate(ssl);
  if (*client_cert == NULL) {
  }  
  res = SSL_get_verify_result(ssl);
  if (res != X509_V_OK) {
  }

at SSL_connect I get
025207:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:s3_clnt.c:769:

but I have verified that capath=..../ssl/ca and that it holds files
constructed using the following:


openssl req -config ${MIX_HOME}/ssl/openssl.cnf -new -x509 -keyout
$MIX_HOME/ssl/key${MY_ID}.pem -out ${MIX_HOME}/ssl/cert${MY_ID}.pem
-nodes

cp ${MIX_HOME}/ssl/cert${MY_ID}.pem ${MIX_HOME}/ssl/ca

HASHNAME=$(openssl x509 -hash -noout -in
${MIX_HOME}/ssl/ca/cert${MY_ID}.pem)
ln -s ${MIX_HOME}/ssl/ca/cert${MY_ID}.pem
${MIX_HOME}/ssl/ca/$HASHNAME.pem

Can anybody see where the problem lies.

/Douglas
-- 

------------------------------------------------------
 Douglas Wikström <[EMAIL PROTECTED]>
------------------------------------------------------
 Yes, God created Man before Woman,
 but one always makes a draft before the masterpiece.
------------------------------------------------------
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to