> From: owner-openssl-us...@openssl.org On Behalf Of CharlesTSR > Sent: Friday, 10 August, 2012 16:48
> Please bear with me; I'm a real SSL newbie. I am attempting > to develop my > first SSL program, an SSL/TLS client that will communicate > with a commercial > SSL server product (Kiwi Server) that is running on a VM on > my system. > > Kiwi *only* accepts IIS-issued certificates. I issued a > certificate using > IIS 7.5 Manager "Issue Self-Signed Certificate." Windows 7 says "This > certificate is OK." > > My client follows the general scheme of the client in Chapter 5 of the > O'Reilly OpenSSL book. I know am getting the certificate back > correctly from > the server because the FQDN in the certificate is correct. > > But if I turn on SSL_CTX_set_verify(SslCtx, SSL_VERIFY_PEER, > NULL) in my > client then SSL_connect(SslObj) fails with 8140:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:.\ssl\s3_clnt.c:1166: > > In my context setup I am doing > SSL_CTX_load_verify_locations(SslCtx, "path > of IIS certficate in PEM format", NULL) and > SSL_CTX_set_default_verify_paths(SslCtx) with no error. > Obviously that is > incorrect or insufficient. > If you call load_verify_locations and subsequently call set_default_verify_paths, the later call overrides and (only) the default file and/or directory are used. If you don't have the server selfsigned cert there -- and for Windows, depending on the build, the default(s) may not even exist or be writable -- nothing will verify. Use just load_verify_locations. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
