On Thu, Nov 25, 2004, Frédéric PAILLETTE wrote: > Florin Angelescu wrote: > > >hello > >i have build openldap with openssl support > >and when a client try to connect i got : > > > > > >TLS certificate verification: depth: 1, err: 19, > >subject: > >/C=BE/ST=BELGIUM/L=BRUSSELS/O=CAAMI_CA/OU=CCI/CN=CAAMI_CA/[EMAIL PROTECTED], > >issuer: > >/C=BE/ST=BELGIUM/L=BRUSSELS/O=CAAMI_CA/OU=CCI/CN=CAAMI_CA/[EMAIL PROTECTED] > >TLS certificate verification: Error, self signed certificate in > >certificate chain > >tls_write: want=7, written=7 > > 0000: 15 03 01 00 02 02 30 ......0 > >TLS trace: SSL3 alert write:fatal:unknown CA > > > > > >any tips ? > > > >thank you > > > > > The CA is unknown so use SSL_CTX_load_verify_locations() to add the CA > certificate in trusted CAs > or ignore this parameter in the callback function called during the > certificate verification. > look at http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html > and http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html > > if it is not enough clear, email me. >
Overriding that error in the verify callback is not advisable for anything other than testing purposes because then OpenSSL will accept any CA as valid. This leaves it open to man in the middle attacks. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
