Hello linuxguy
Our product is client and it asks the server for certificates. The server sends the certificates which the client tries to authenticate using its CA certificates. This is the point when the client fails to authenticate the certificates received from the server and generates a fatal alarm whose value is bad_certificate.
As you have mentioned, the client needs to know about the certificate file, CA-certificate path, etc. For doing all this, we are making use of the OpenSSL APIs -
SSL_CTX_use_certificate_file
SSL_CTX_use_PrivateKey_file
SSL_CTX_load_verify_locations
SSL_CTX_set_verify
SSL_CTX_set_cipher_list
etc.
and we create the SSL_CTX structure. Using this SSL_CTX structure we are creating a SSL structure at the time of TLS connection establishment.
The most amazing part here is that the certificates present with the client and the server are the same set. So, there should not be any invalid/incorrect certificate problem. Moreover, the Solaris port of our product with the same set of certificates works absolutely fine i.e. there are no certificate authentication errors.
Any pointers ??
Thanks.
Anil Kumar Chaudhury
Senior Software Engineer
Hughes Software Systems
Bangalore - 560 001
Phone: (080) 2867921 Extn: 7605
www.hssworld.com
| "linux guy" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 09/10/03 11:55 AM
|
|
hello akchaudhury,I just finished one SSL-supported web server under vxworks(ppc603),
and I don't know much about TLS.
ur configure command to generate the Makefile for u to make libcrypto.a&libssl.a with is
(almost)right.
since the error prompt is BAD CERTIFAICATE,if ur product is a server one,U need
provide the client one correct CERTIFICATE(self-signed or CA signed).
the sslconfig is one structure used by our SSL server,it includes several options such as
SSL methods it supports,whether the client certificate is needed,and the path of CERTIFICATE file,the path of private key file and so on which r all needed when SSL
server runs.
btw:our web server provides self-signed certificate.
--
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr
Powered by Outblaze ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
