Matthias Apitz <g...@unixarea.de> said: > and was a bit surprised that the connection went fine and the "wserver" > accepts the SSL connection and responds fine with its dummy message. The > openssl client does not need any key files to connect...
In normal SSL, only the server needs certificate and private key. In the protocol handshake it sends the certificate to the client so client can operate completely by simply trusting the certificate it gets from the handshake. Of course client should not be so naive. It should verify the validity if the certificate it gets from the handshake. Usually this should mean at least one access to filesystem to get the root certificate (CA certificate) to check the connection's certificate. You should see that access with truss or strace. (BTW, there is such thing as ClientTLS where client actually authenticates to the server. In that scenario client does need itsown certificate and private key, but I do not think you were attempting to do that.) > The output of the openssl client about the connection is attached below > as "nohup.out". In nohup.out you see >> depth=1 /C=DE/ST=Germany/O=xxxxxxxxxxxxxxx GmbH/OU=SolarTech/CN=Matthias >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> CONNECTED(00000004) Basically this means that s_client should have failed the connection. It detected a self signed certificate and unless it is configured to accept them, it should consider it to be invalid. Perhaps the s_client code is not a good example of the validity checking that should be done to the certificates? I think the code was written to print the error but continue anyway. This is not how it should be in real life: you should abort the connection if you do not trust the certificate. Cheers, --Sampo > Why is this? Could some kind soul bring a bit light into this? Thanks in > advance. > > matthias ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
