RE: Openssl server certificates validation error

Mon, 21 Jan 2013 17:09:09 -0800 

With "openssl s_client -connect yourhost:port -CAfile xx.cert" I am getting 
error 21.

-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dave Thompson
Sent: Monday, January 21, 2013 6:34 PM
To: openssl-users@openssl.org
Subject: RE: Openssl server certificates validation error

> From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah
> Sent: Friday, 18 January, 2013 20:02

> Pls, see my comments below.
>
> -----Original Message-----
> From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson
> Sent: Friday, January 18, 2013 7:55 PM
> To: openssl-users@openssl.org
> Subject: RE: Openssl server certificates validation error
>
> >From: owner-openssl-us...@openssl.org On Behalf Of Hazrat Shah
> >Sent: Friday, 18 January, 2013 17:54
>
> >I am having problem with server certificate verification the
> >SSL_get_verify_result() returns Error code 20.
>
> >I add a (xx.cert) file to the window certificate store as
> follow.<snip>
>
> >On OpenSSL startup, the file is read from window certifcate store and
> >saved into the X509 certificate store. <snip>
>
> Is that X509_STORE *the* store in the (relevant) SSL_CTX? [HS] Yes
>
> What cert is xx.cert? [HS] xx.cert is a self-signed certificate file
> generated in Win2012 server.
>
Are you sure that's the cert the server is using? I believe verify 20 should 
not occur if using a selfsigned cert.
(If it's not in the local truststore, I get 18, not 20.)

Try commandline with (only) that cert file e.g.
  openssl s_client -connect yourhost:port -CAfile xx.cert and see what verify 
results that gets.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org


This e-mail message and all attachments transmitted with it may contain legally 
privileged and confidential information intended solely for the use of the 
addressee. If you are not the intended recipient, you are hereby notified that 
any reading, dissemination, distribution, copying, or other use of this message 
or its attachments is strictly prohibited.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to