Self-signed certificates are good for one thing, at least: They ensure that subsequent transactions are with the same entity (the same keypair is used), even if no other piece of data in the certificate is trustworthy.
There is a callback that you can set for the "trust verification" function, as the third parameter to SSL_[CTX_]set_verify(). See the man page for it for details. -Kyle H On 2/2/06, Alain Damiral <[EMAIL PROTECTED]> wrote: > For which reasons do you want to accept self signed certificates ?... I > do not understand why deactivating client authentication as Konark > suggested wouldn't be good enough. > > > > Samy Thiyagarajan wrote: > > > > > Thanks konark. > > > > When I initialize my ctx i call the following functions.. > > # SSL_CTX_set_verify() with option SSL_VERIFY_PEER | > > SSL_VERIFY_FAIL_IF_NO_PEER_CERT > > # SSL_CTX-set_client_CA_list( ctx, cafile) > > > > things are fine when the client request for a connection with a > > certificate signed by one of the listed CAs (in the cafile) > > > > For some reasons I also wish to accept self signed certs( user needs > > to decide to accept or not ). > > So when a client comes up with a self signed cert , the server reports > > ' unknown ca ' error. I understand that this is b'coz it is not signed > > by trusted CA. All i want to know is what needs to be done on server > > side to accept the self signed. > > > > I really appreciate ay kind of assistance. > > > > Thanks > > Samy > > > > > > > -- > Alain Damiral > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
