>From: owner-openssl-us...@openssl.org On Behalf Of Harald Latzko >Sent: Thursday, 02 August, 2012 03:03
><snip> self-signed certificate as attached to this mail (can be retrieved >from the TLS server 87.236.105.37:6619). My TLS client uses the >following options: >SSL_CTX_load_verify_locations(ctx, NULL, tls_root_certpath) <snip> Aside: it's a good thing you gave the server, because Outlook (which we use) blocks *.cer. I wish it didn't, but it does. > The server certificate is trusted in a directory where trusted certificates >reside. In my application, a connect try ends with the following error: Is the server cert in the directory named by tls_root_certpath *with a hashlink (or hashname)*? For the correct major version of OpenSSL? (hashes for 1.0.0+ are different from 0.9.8) >certificate verify error 20: unable to get local issuer certificate: <snip> >My opinion is that the self-signed certificate has the X509v3 basic constraint >CA flag set to "false": <snip> >A connect via "openssl s_client" also fails with <snip: verify error 21> You show only the last part (resulting SSL-Session). I got as the first thing (except DN trimmed for posting): CONNECTED(00000003) depth=0 emailAddress = deiningermichae...@johndeere.com, ... verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 emailAddress = deiningermichae...@johndeere.com, ... verify error:num=21:unable to verify the first certificate verify return:1 Note that you get error=20 first, and only after s_client overrides (which your app presumably doesn't) then you get error=21. Error=20 means it didn't find the cert in the truststore. As above, check it is in the directory with the correct hash. Errors in cert attributes (like BC) give other error codes. >Is my assumption correct that the "CA"-flag must be set to "true" >in order to work as a self-signed server certificate? I don't want >to change my verify_callback function just in order to get it work >(which could be easy). Conformity should be the first goal. No. CA:true, and (usually) KeyUsage:certSign, are required IF a cert (often, but not necessarily, selfsigned) is used to issue *other* (child) certs. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
