On Wed, Jan 16, 2002 at 05:31:21PM +0100, Douglas Wikström wrote:
> /* Override setting from ssl_ctx created in NET_ssl_ctx_new.
> Verify the client peer. */
> SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
This should be on the client, shouldn't it? Therefore SSL_VERIFY_CLIENT_ONCE
does not make sense in this context. (Shouldn't hurt, though.)
> if (SSL_connect(ssl) < 0) {
> }
Ok, SSL_VERIFY_PEER enforces all verification errors to be enforced,
thus SSL_connect() will result in hard failure, as shown below.
You will never reach the SSL_get_verify_result() below.
> *client_cert = SSL_get_peer_certificate(ssl);
> if (*client_cert == NULL) {
> }
> res = SSL_get_verify_result(ssl);
> if (res != X509_V_OK) {
> }
>
> at SSL_connect I get
> 025207:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:769:
You have two options:
1 Don't set SSL_VERIFY_PEER and check the result of SSL_get_verify_result()
later.
2 Implement a verify_callback() that will print out all reasons for
verification failure.
I recommend option 2.
> but I have verified that capath=..../ssl/ca and that it holds files
> constructed using the following:
>
>
> openssl req -config ${MIX_HOME}/ssl/openssl.cnf -new -x509 -keyout
> $MIX_HOME/ssl/key${MY_ID}.pem -out ${MIX_HOME}/ssl/cert${MY_ID}.pem
> -nodes
Hmm. This shall result in self-signed certificates???
Do they pass the "openssl verify" test?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
