After another round of changes to the certificates I created, I ran s_client and s_server. Here are the scripts:
openssl s_client -cert c:/ca/client/client.pem -CApath c:/ca/trusted openssl s_server -cert c:/ca/server/server.pem -CApath c:/ca/trusted -state The files in c:/ca/trusted are root.pem and serverCA.pem. s_client did not like these certificates. Here are the errors it threw: [C:/CA/chapter5] s_client Loading 'screen' into random state - done Enter PEM pass phrase: CONNECTED(00000770) depth=0 /CN=server/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing Server verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /CN=server/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing Server verify error:num=27:certificate not trusted verify return:1 depth=0 /CN=server/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing Server verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=server/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing Server i:/CN=serverca/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing Server --- (certificate listed here) subject=/CN=server/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing Server issuer=/CN=serverca/ST=WA/C=US/[EMAIL PROTECTED]/O=iWave Testing Server --- No client certificate CA names sent --- Here is a partial listing of client.pem: Issuer: CN=example CA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root Certification Authority Subject: CN=serverca, ST=WA, C=US/[EMAIL PROTECTED], O=iWave Testing Here is a partial listing of serverCA.pem: Issuer: CN=example CA, ST=Washington, C=US/[EMAIL PROTECTED], O=Root Certification Authority Subject: CN=serverca, ST=WA, C=US/[EMAIL PROTECTED], O=iWave Testing I don't understand the problem. Why does this not work? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson Sent: Thursday, April 28, 2005 3:57 PM To: openssl-users@openssl.org Subject: Re: FW: openssl verify conflicts with SSL_connect On Thu, Apr 28, 2005, John Hoel wrote: > I have been doing that all along. That's what is so exasperating - following > insructions doesn't seem to help. (arghh! head banging). That's the 2nd > function argument. 3rd argument is NULL (not using CAdir). > > The file passed to SSL_CTX_use_certificate_chain_file() is client.pem. > > BTW - I tried testing with s_client and got the following error (self signed > certificate): > [snip] Well one problem is that the issuer name and subject names of your server certificate are identical. That's taken to be a "self signed certificate" well at least for V1 certificates. Make sure you don't give the same field values in the server certificate and the root CA. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] NO RELIANCE: This e-mail will be of no force of effect and will not be binding unless a hard copy of this e-mail, signed by an authorized official of the company, has been sent to the recipient of this message. CONFIDENTIAL AND/OR PROPRIETARY: Information contained in this transmission is intended for the use of the individual or entity named above and may contain legally proprietary or confidential information. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copy of this communication is strictly prohibited. If you have received this communication in error, please permanently delete this message and immediately notify us by telephone at 972-377-1110. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
