I created these certificates based on chapter 5 of "Network Security with
OpenSSL". The client certificate is signed with the root CA, and that in turn
is the only item in the trusted store (root.pem). Why would this not work? Here
is a partial listing of the root CA:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
a0:8a:9b:89:f8:0e:2c:e6
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=example CA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root
Certification Authority
Validity
Not Before: Apr 26 16:25:24 2005 GMT
Not After : May 26 16:25:24 2005 GMT
Subject: CN=example CA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root
Certification Authority
______________________________
John Hoel
Product Author
Skywire Software
2401 Internet Blvd., Suite 201
Frisco, Texas 75034
(972)377-1110 main
(425)396-4687 direct
[EMAIL PROTECTED]
www.skywiresoftware.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: Tuesday, April 26, 2005 10:42 AM
To: openssl-users@openssl.org
Subject: Re: FW: openssl verify conflicts with SSL_connect
On Tue, Apr 26, 2005, John Hoel wrote:
> I've made extensive changes to how I generate certificates. Here is a partial
> listing of the revised client certificate:
>
> Certificate:
> Data:
> Version: 1 (0x0)
> Serial Number:
> ed:db:89:05:53:74:2b:55
> Signature Algorithm: sha1WithRSAEncryption
> Issuer: CN=example CA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root
> Certification Authority
> Validity
> Not Before: Apr 26 17:00:30 2005 GMT
> Not After : May 26 17:00:30 2005 GMT
> Subject: CN=john, ST=WA, C=US/[EMAIL PROTECTED], O=iWave Testing
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
>
> This doesn't look like a self signed certificate to me, and 'openssl verify'
> reports 'OK'. And yet, when this same certificate is passed to SSL_connect(),
> openssl throws the following errors:
>
> error 18: self signed certificate.
> Certificate issuer: /CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing.
> Certificate subject: /CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing.
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:
> file '.\ssl\s3_clnt.c' line 844.
>
> Can anyone see how this could happen?
>
Its not complaining about that certificate but the CA certificate that issued
it. That should be included in the trusted store.
Also its a deprecated V1 certificate.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
NO RELIANCE: This e-mail will be of no force of effect and will not be binding
unless a hard copy of this e-mail, signed by an authorized official of the
company, has been sent to the recipient of this message.
CONFIDENTIAL AND/OR PROPRIETARY: Information contained in this transmission is
intended for the use of the individual or entity named above and may contain
legally proprietary or confidential information. If the reader of this message
is not the intended recipient, you are hereby notified that any dissemination,
distribution or copy of this communication is strictly prohibited. If you have
received this communication in error, please permanently delete this message
and immediately notify us by telephone at 972-377-1110.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
