Dude Dave Thompson...thanks a ton for your reply!! you saved my day...i was
so frustrated trying to verify 2 different certificates with the same
subject and the issuer. Thanks a million for your reply!! :jumping:
Dave Thompson-5 wrote:
>
>> From: owner-openssl-us...@openssl.org On Behalf Of cschwaderer
>> Sent: Wednesday, 19 May, 2010 18:50
>
>> I'm having a problem with an OpenSSL client and server
>> application I wrote.
>> Client 1 uses certificate A and client 2 uses certificate B.
>>
>> I create a CA file on the server that contains A followed by
>> B. In this c
>> ase, client 1 works correctly and client 2 does not. If I
>> change the CA file
>> such that the file contains B followed by A, now client 2
>> works correctly
>> and client 1 does not.
>>
> Are the client certs self-signed, or do you mean the clients
> have (entity) certs *signed* by A and B respectively?
>
> If the latter, are A and B for the same CA, in particular
> the same subject-name? If so, do the child certs use AKID?
> If not, openssl won't be able to chain correctly. It only
> looks for one parent, and doesn't handle ambiguous cases.
>
> Alternatively, do selfsigned=entity A and B have the same
> (subject and issuer) name? That would be bogus, and not work.
>
> Exactly what error(s) do you get? See below.
>
>> I don't know if this is a problem on the server or the
>> client. My first
>> thought is that it's a server problem and for some reason
>> it's only using
>> the first certificate in the CA file (but I'm using the
>> SSL_CTX_set_client_CA_list() call).
>>
>> It could be something I'm not doing on the client side where
>> when the server
>> sends the CAs to the client, maybe it's only looking at the first
>> certificate and not seeing its certificate?
>>
> The client never sees the *certs* accepted by the server.
> The server optionally sends a list of CA/signer *names*,
> which some clients like IE and FF use to choose among multiple
> own certs. But openssl client just sends what was specified.
> (Unless there's a callback for this I haven't noticed.)
> So if you control both ends _set_client_CA_list is useless.
>
>> Here is the server code block:
> <most snipped>
>
>> // Store the cert file name and path
>> if (strlen(sslCertFile) > sizeof(rpdCertFile)) {
>> throw new SSLServerError("Server cert file path
>> too large!",
>> -1);
>> }
>> strcpy(rpdCertFile, sslCertFile);
>>
> Nit: this (and two more like it) isn't actually safe. strcpy(d,s)
> copies strlen(s) bytes PLUS the null-byte terminator, so you need
> to check strlen()+1 > sizeof, or more trickily strlen() >= sizeof.
> But it is extremely unlikely this relates to your current problem.
>
>> if ((err = SSL_CTX_set_cipher_list(ctx,
>> SRVR_CIPHER_LIST) != 1)) {
>> MESSAGE("***Error %d setting cipher list", err);
>> SSL_CTX_free(ctx);
>> throw new SSLServerError("Error setting cipher
>> list", err);
>> }
>>
> And many more like it: most openssl routines return only a summary
> success/failure, either outright as 1/0 or maybe 1/0/-few, or
> implicitly as pointer/null. In most cases, there is more detailed
> and useful information in the "error stack", and you should display it.
> The simplest way is just call ERR_print_errors_fp, usually on stderr.
> If you want to rework it into some other logging/reporting scheme,
> which it appears you may have, use ERR_get_error (in a loop until
> zero!), ERR_error_string, and friends. The major exception is
> protocol routines (SSL_connect,accept,read,write,etc) which fail
> due to the underlying socket I/O, or are nonblocking and not
> currently ready/done/etc (which is not really an error).
>
>> // Set the list of trusted CAs based on the file
>> and/or directory
>> // provided. The NULL is the CA directory if the
>> caller wishes to
>> // separate the file name from the directory path.
> This comment is very confused. _load_verify_locations can
> specify a file (including path) which contains multiple certs;
> or a directory (including path) which contains multiple *files*
> with symlinks from their (subject) hashes, each containing a cert.
> These are different formats, although serving the same purpose.
>
>> DBG("SSLSrvr: Trusted CAs file we're using is [%s]",
>> rpdCAFile);
>> if (SSL_CTX_load_verify_locations(ctx, rpdCAFile, NULL) < 1) {
>> MESSAGE("***ERROR verifying CA file/dir location
>> [%s][%s]",
>> rpdCAFile, NULL);
>> SSL_CTX_free(ctx);
>> throw new SSLServerError("Error verifying CA
>> locations", errno);
>> }
>>
> You're not "verifying CA locations", you're specifying the location(s)
> of CA cert(s) which will be used to verify the peer (here client).
>
> If your MESSAGE() is a *printf wrapper or otherwise (sufficiently)
> *printf like, giving %s a NULL pointer is NOT safe. *Some* C
> libraries (notably at least some versions of glibc) are nice about
> this common error, but some aren't.
>
>> // Load the list of acceptable CAs to send to the
>> client when the
>> // SSL connection request comes in from the SSL client.
> This comment on the other hand is exactly right.
>
> You don't show the actual connection logic.
> Or any detail about the actual errors/problems.
>
> Server code equivalent to yours (simplified some) plus obvious
> connection logic, against s_client for convenience, works for me.
>
> One basic thing: When you put both/multiple certs in one file,
> you DO preserve the PEM format (BEGIN and END lines), right?
>
>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
--
View this message in context:
http://old.nabble.com/CA-file-with-multiple-certificates%2C-only-the-1st-one-in-the-file-works-tp28615249p33763432.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
