Thanks for the pointers to both David and Wim. In response to David: If I do not set VERIFY_PEER flag, then client does NOT deliver its certificate to server. At least SSL_Peer_Certificate() returns null.
With regards to installing the self-signed certs on each host. Does it not defeat the purpose of a self signed cert a little? I thought that setting X509 attribute CA=TRUE (see my code in the original post) was a clue enough for it to be used as CA authority. Can someone confirm if self-signed certs still need to be installed for verification to succeed? Thanks On 10/1/13 4:31 PM, "Wim Lewis" <w...@omnigroup.com> wrote: > >On 1 Oct 2013, at 3:00 PM, Troyanker, Vlad wrote: >> PROBLEM: the server fails SSL connection with SSL_accept: tlsv1 alert >>unknown ca >> >> The funny part I cannot even find where in source code that error (code >>SSL_R_TLSV1_ALERT_UNKNOWN_CA) gets thrown. I am looking through >>openssl-1.0.1e/ssl/s3_srvr.c >> >> What am I missing? > >That means that the server has sent you the TLS1_AD_UNKNOWN_CA alert (see >rfc2246 section 7.2, where it's listed as the "unknown_ca" alert). The >SSL_R_foo reasons for alerts are numbered the same as the corresponding >TLS protocol constants plus SSL_AD_REASON_OFFSET, which is 1000. > >From ssl/s3_both.c, it looks like this alert is generated for either the >X509_V_ERR_INVALID_CA or X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER errors in >verification. > > >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
