> The important question is, "who signed the certificate you created?"
>
> Typically, the certificate is signed by a trusted Certificate
> authority (CA) where "trusted" means that your browser has the CA's
> root certificate in it's list of trusted CA's. Look at your browser.
> There are probably 10-20 root CA certificates.
>
> The hacker can't create exactly the same certificate since the CA
> won't sign it.
I used the HowTo I found via Google:
http://makeashorterlink.com/?G54413D19
So I signed the certificate by myself (openssl ca ...).
I think I just found out that I need SSL_CTX_load_verify_locations
(with my cacert.pem) and SSL_get_verify_result for that what I want,
but I keep getting error X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
on SSL_get_verify_result. SSL_CTX_load_verify_locations does not fail.
Here ist the part of my code:
----------
mpSSLCertificate = SSL_get_peer_certificate(mpSSL);
[...] // ::connect, SSL-connect, ...
if (mpSSLCertificate != NULL)
{
SSL_CTX_set_options(mpSSLContext, SSL_VERIFY_PEER);
if (SSL_CTX_load_verify_locations(mpSSLContext, "./cacert.pem",
NULL) == 1)
{
int verifyResult = SSL_get_verify_result(mpSSL);
if (verifyResult == X509_V_OK)
{
[...]
}
else
{
[...]
// ***** I always get
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
}
}
else
{
[...]
}
X509_free(mpSSLCertificate);
}
else
{
[...]
}
----------
If I use command-line openssl
openssl verify cacert.pem
I don't get this error but X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
what sounds ok as it is a self signed certificate.
So
1) how can I get rid of X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
what am I missing (as you might have seen, I am very new to SSL
and sockets), and
2) what do I have to do to get X509_V_OK instead of
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT?
Ciao and bye,
(:Clemens:)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
