Question on SSL/TLS protocol and self-signed certificate

Thu, 19 Jan 2006 17:00:58 -0800 

Hi,

I'm a newbie with SSL/TLS protocol and hoping someone can enlighten me
on a few things.

My understanding of the TLS protocol is the following:
During a session establishment a server always transmits its
certificate to the client, and the client must validate the
certificate.
Therefore, if the server is using a self-signed certificate, the
certificate must be made available to the client prior to the actual
session establishment attempt.

I tried to test this using OpenSSL s_client connecting to a web server
whose certificate is self-signed. I didn't import server certificate
to the client in prior to testing this.
Therefore, I expected the session establishment would fail as client
had no trusted certificate to verify the server certificate.
However, the s_client seemed to successfully established session to the server.

What am I missing here?
Doesn't client need server's self-signed certificate to validate the
transmitted certificate?
Or is there a setting that allows accepting of self-signed certificate?

Thank you in advance,
Lucy



Snippet of the output from the s_client is as the bottom of the page.

-----------------------------------
CONNECTED(00000003)
depth=0 /C=au/ST=test/O=test/OU=test/CN=test
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=au/ST=test/O=test/OU=test/CN=test
verify return:1
---
Certificate chain
 0 s:/C=au/ST=test/O=test/OU=test/CN=test
   i:/C=au/ST=test/O=test/OU=test/CN=test
---
Server certificate
[output deleted]
subject=/C=au/ST=test/O=test/OU=test/CN=test
issuer=/C=au/ST=test/O=test/OU=test/CN=test
---
No client certificate CA names sent
---
SSL handshake has read 672 bytes and written 252 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID:
[output deleted]
    Verify return code: 18 (self signed certificate)
---
[output of http get deleted]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to