Hi, see below for 2 follow up questions, as a few key details are
missing from your mail
On 5/31/2012 4:01 PM, Jack Trades wrote:
I am in the process of learning SSL programming. I am developing
simpe SSL server and client apps that are both being tested on the
same Windows machine. The problem comes during the SSL handshake -
the client is rejecting the server certificate with the following error:
-Error with certificate at depth: 1
issuer = /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA
subject = /C=US/ST=VA/L=Fairfax/O=Zork.org/OU=Server
Division/CN=Server CA
err 24:invalid CA certificate
** Main.c:70 Error connecting SSL object
3080:error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed:.\ssl\s3_clnt.c:1166:
Question 1: What list of trusted CAs did you pass to the SSL code, and
was your Zork root CA on that list?
I created the following certificates:
Create the root CA
>openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
>openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey
rootkey.pem -out rootcert.pem
>type rootcert.pem rootkey.pem > root.pem
>openssl x509 -subject -issuer -noout -in root.pem
subject= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA
issuer= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA
Question 2: What are the other fields in rootcert.pem, as displayed by
openssl x509 -in rootcert.pem -noout -purpose -text
One of the other fields may by wrong (such as not being marked as a CA,
being marked to expire yesterday etc.).
Create the server CA and sign it with the root CA
>openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out
serverCAreq.pem
>openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA
root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem
>type serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem
>openssl x509 -subject -issuer -noout -in serverCA.pem
subject= /C=US/ST=VA/L=Fairfax/O=Zork.org/OU=Server Division/CN=Server CA
issuer= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA
Create the server's certificate and sign it with the server CA
>openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out
serverreq.pem
>openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA
serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
>type servercert.pem serverkey.pem serverCAcert.pem rootcert.pem >
server.pem
>openssl x509 -subject -issuer -noout -in server.pem
subject= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=splat.zork.org
<http://splat.zork.org>
issuer= /C=US/ST=VA/L=Fairfax/O=Zork.org/OU=Server Division/CN=Server CA
Create the client certificate and sign it with the root CA
>openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out
clientreq.pem
>openssl x509 -req -in clientreq.pem -sha1 -extensions usr_cert -CA
root.pem -CAkey root.pem -CAcreateserial -out clientcert.pem
>type clientcert.pem clientkey.pem rootcert.pem > client.pem
>openssl x509 -subject -issuer -noout -in client.pem
subject= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=shell.zork.org
<http://shell.zork.org>
issuer= /C=US/ST=VA/L=Fairfax/O=Zork.org/CN=Root CA
Create the dh512.pem dh1024.pem
>openssl dhparam -check -text -5 512 -out dh512.pem
>openssl dhparam -check -text -5 1024 -out dh1024.pem
Can someone please let me know if I am configuring the certificates
wrong? I am developing on a Windows XP machine using MSVS C++ 2010
Express with Openssl
(version 1.0.1c). I am testing locally with IP=localhost and port=16001.
Thanks.
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
