I have been doing that all along. That's what is so exasperating - following
insructions doesn't seem to help. (arghh! head banging). That's the 2nd
function argument. 3rd argument is NULL (not using CAdir).
The file passed to SSL_CTX_use_certificate_chain_file() is client.pem.
BTW - I tried testing with s_client and got the following error (self signed
certificate):
openssl s_client -cert c:/ca/chapter5/client.pem \
-CAfile c:/ca/chapter5/root.pem
[C:/CA/chapter5] s_client
Loading 'screen' into random state - done
Enter PEM pass phrase:
CONNECTED(00000770)
depth=0 /CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing
verify error:num=7:certificate signature failure
verify return:1
depth=0 /CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing
verify return:1
---
Certificate chain
0 s:/CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing
i:/CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICPzCCAagCCQCce7fgZxZaajANBgkqhkiG9w0BAQUFADBkMQ0wCwYDVQQDEwRq
b2huMQswCQYDVQQIEwJXQTELMAkGA1UEBhMCVVMxITAfBgkqhkiG9w0BCQEWEm5v
Ym9keUBub3doZXJlLmNvbTEWMBQGA1UEChMNaVdhdmUgVGVzdGluZzAeFw0wNTA0
MjYxNjU3MTBaFw0wNTA1MjYxNjU3MTBaMGQxDTALBgNVBAMTBGpvaG4xCzAJBgNV
BAgTAldBMQswCQYDVQQGEwJVUzEhMB8GCSqGSIb3DQEJARYSbm9ib2R5QG5vd2hl
cmUuY29tMRYwFAYDVQQKEw1pV2F2ZSBUZXN0aW5nMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC4vM5GqVTkDbwr3JBYSdpMPf2Wd2gvfpe8bT0MvnWlcMyMeCmb
LLuk1jRVnHdIpCjN2PSYm9F7B/pKizckFLI9a3xrciwtULq3Y8qX0xpZgDCRdFo4
fW1Acfxo7dxjh2W9iodBGq+xeDhUVNloNKgWzWDVO9KTeOb06DqSTPMU0QIDAQAB
MA0GCSqGSIb3DQEBBQUAA4GBAH5I4V9KOpiJKY6lyZWGcYlQDyWRdx8j3SIiAAGM
k6M/qnmsfdfCFpmeCXs7vS1SjEH0Lt3rUhaM7yXP6M0vD9LrBld8hh/oRI+eNltd
4KZ67oy2OUDQT8m/MxmYA0zc5Aecl8Uh6xC/ZW54K6SqG1TAIPVftHgmGrJYXGfY
fEvf
-----END CERTIFICATE-----
subject=/CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing
issuer=/CN=john/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing
---
No client certificate CA names sent
---
SSL handshake has read 1015 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 077A3A67E61455B33E4D6DC12A8207785978FB9AF6C507B8C357FBE3FC067D30
Session-ID-ctx:
Master-Key: CC32FE3DFD88BA329BC2EC5BC7D9EB203961A3DD20C1A630C1011CBFFDD33FEF
3A218395CB8456EB79EDE286B93441A7
Key-Arg : None
Start Time: 1114724486
Timeout : 300 (sec)
Verify return code: 7 (certificate signature failure)
---
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: Thursday, April 28, 2005 1:08 PM
To: [email protected]
Subject: Re: FW: openssl verify conflicts with SSL_connect
On Thu, Apr 28, 2005, John Hoel wrote:
> To include it in the trusted store, I think I will need to hash it and the
> 'root.pem' file as well. I haven't been able to find anything describing how
> this is done. Can you refer me to something?
>
You just keep root.pem as it is and pass it in the CAfile option to
SSL_CTX_load_verify_locations().
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
NO RELIANCE: This e-mail will be of no force of effect and will not be binding
unless a hard copy of this e-mail, signed by an authorized official of the
company, has been sent to the recipient of this message.
CONFIDENTIAL AND/OR PROPRIETARY: Information contained in this transmission is
intended for the use of the individual or entity named above and may contain
legally proprietary or confidential information. If the reader of this message
is not the intended recipient, you are hereby notified that any dissemination,
distribution or copy of this communication is strictly prohibited. If you have
received this communication in error, please permanently delete this message
and immediately notify us by telephone at 972-377-1110.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
