Accepting certificates stored in /etc/ssl/certs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Accepting certificates stored in /etc/ssl/certs

gperrow

I am using OpenSSL 1.0.1e on Linux. My client application makes a TLS connection to a server which is using a certificate I created, signed by another certificate I created. The signing cert is self-signed. I added the signing cert to the /etc/ssl/certs/ca-bundle.crt file, and running “openssl verify -CApath /etc/ssl/certs rsaserver.id” returns “rsaserver.id: OK”, so I know the certificate is installed correctly.

 

In my client application, I call SSL_CTX_load_verify_locations( ctx, NULL, “/etc/ssl/certs” ) which succeeds. But the handshake fails. If I print the output from  X509_verify_cert_error_string(err) in my verify callback, I get “self signed certificate in certificate chain”.

 

If I use SSL_CTX_load_verify_locations( ctx, “rsaroot.crt”, NULL ), the handshake succeeds, so there doesn’t seem to be anything wrong with the certificates themselves.

 

I’m sure I’m missing something basic. Can anyone tell me what I’m doing wrong?

 

Graeme Perrow

 

Reply | Threaded
Open this post in threaded view
|

RE: Accepting certificates stored in /etc/ssl/certs

Dave Thompson-5
> From: owner-openssl-dev On Behalf Of Perrow, Graeme
> Sent: Wednesday, October 16, 2013 13:26

> I am using OpenSSL 1.0.1e on Linux. My client application makes a TLS
connection to a server
> which is using a certificate I created, signed by another certificate I
created. The signing cert
> is self-signed. I added the signing cert to the
/etc/ssl/certs/ca-bundle.crt file, and running
> "openssl verify -CApath /etc/ssl/certs rsaserver.id" returns
"rsaserver.id: OK", so I know
> the certificate is installed correctly.

Did you try without -CApath? 'verify' defaults CAfile and CApath separately,
so if on your
platform CAfile default is /etc/ssl/ cert.pem linked to
certs/ca-bundle.crt, as is likely,
editting that file is enough and it doesn't matter if CApath is even valid.

 > In my client application, I call SSL_CTX_load_verify_locations( ctx,
NULL, "/etc/ssl/certs" )
> which succeeds. But the handshake fails [with] "self signed certificate in
certificate chain".

> If I use SSL_CTX_load_verify_locations( ctx, "rsaroot.crt", NULL ), the
handshake succeeds,
> so there doesn't seem to be anything wrong with the certificates
themselves.

> I'm sure I'm missing something basic. Can anyone tell me what I'm doing
wrong?

man SSL_CTX_load_verify_locations
The second argument is a file containing optionally multiple CA certs; in
your case you only
need one. The third argument is a directory containing each cert (or CRL) in
a separate file,
with the filename or a symlink name based on the subject hash.

Given you have changed the default CAfile, you could use
_default_verify_paths instead.



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Accepting certificates stored in /etc/ssl/certs

Ralf Skyper Kaiser
In reply to this post by gperrow
Hi,

try with openssl s_client -connect ip:port first. Check the output and see where it fails.

Make sure your self-signed certificate that you used for signing has BasicConstrains CA:True set. (e.g. just creating a self-signed certificate and use it as CA is not enough...)

regards,

ralf



On Wed, Oct 16, 2013 at 6:26 PM, Perrow, Graeme <[hidden email]> wrote:

I am using OpenSSL 1.0.1e on Linux. My client application makes a TLS connection to a server which is using a certificate I created, signed by another certificate I created. The signing cert is self-signed. I added the signing cert to the /etc/ssl/certs/ca-bundle.crt file, and running “openssl verify -CApath /etc/ssl/certs rsaserver.id” returns “rsaserver.id: OK”, so I know the certificate is installed correctly.

 

In my client application, I call SSL_CTX_load_verify_locations( ctx, NULL, “/etc/ssl/certs” ) which succeeds. But the handshake fails. If I print the output from  X509_verify_cert_error_string(err) in my verify callback, I get “self signed certificate in certificate chain”.

 

If I use SSL_CTX_load_verify_locations( ctx, “rsaroot.crt”, NULL ), the handshake succeeds, so there doesn’t seem to be anything wrong with the certificates themselves.

 

I’m sure I’m missing something basic. Can anyone tell me what I’m doing wrong?

 

Graeme Perrow