--nextPart4117466.D8g4V0RgCr
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi!
I hope this is not a problem that occurs everytime in the list and please=20
excuse my bad english.
I used some sample code from "network security with openssl" (chapter 5) an=
d=20
think it should work, but it does not.

I will explain the essential steps...

I created a self signed root CA
=3D=3D=3D
openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem
openssl x509 -req -in rootreq.pem -sha1 -extensions v3_ca -signkey=20
rootkey.pem -out rootcert.pem
cat rootcert.pem rootkey.pem > root.pem
=3D=3D=3D

I created a server CA signed by the root CA
=3D=3D=3D
openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out=20
serverCAreq.pem
openssl x509 -req -in serverCAreq.pem -sha1 -extensions v3_ca -CA=20
root.pem -CAkey root.pem -CAcreateserial -out serverCAcert.pem
cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem
=3D=3D=3D

I created a server certificate signed by the server CA
=3D=3D=3D
openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem
openssl x509 -req -in serverreq.pem -sha1 -extensions usr_cert -CA=20
serverCA.pem -CAkey serverCA.pem -CAcreateserial -out servercert.pem
cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem
=3D=3D=3D

Lines from the client.c
=3D=3D=3D
#define CAFILE "rootcert.pem"=20
,,,
if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) !=3D 1)=20
=2E..
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
=2E..
int verify_callback(int ok, X509_STORE_CTX *store) {=20
char data[256];=20
if (!ok) {=20
X509 *cert =3D X509_STORE_CTX_get_current_cert(store);=20
int depth =3D X509_STORE_CTX_get_error_depth(store);=20
int err =3D X509_STORE_CTX_get_error(store);=20
fprintf(stderr, "-Error with certificate at depth: %i\n", depth);=20
X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);=20
fprintf(stderr, " issuer =3D %s\n", data);=20
X509_NAME_oneline(X509_get_subject_name(cert), data, 256);=20
fprintf(stderr, " subject =3D %s\n", data);=20
fprintf(stderr, " err %i:%s\n", err,=20
X509_verify_cert_error_string(err));=20
}
//return ok;=20
return 1; // only for testing
}
=3D=3D=3D

Lines from the server.c
=3D=3D=3D
#define CERTFILE "server.pem"=20
if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) !=3D 1)=20
=2E..
if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) !=3D 1)
=3D=3D=3D

The server certificate is signed by the server CA and the server CA is sign=
ed=20
by the root CA (client verify depth is set to 4 - so this is not the=20
problem). So i think all should work fine. But I get the following output=20
from client if it connects to server:

=3D=3D=3D
=2DError with certificate at depth: 1
issuer =3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DMJR/CN=3DMarkus=20
Rathgeb/emailAddress=3Dmaggu2810@googlemail.com
subject =3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DSERVER/CN=3DServer Admin
err 24:invalid CA certificate
=2DError with certificate at depth: 1
issuer =3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DMJR/CN=3DMarkus=20
Rathgeb/emailAddress=3Dmaggu2810@googlemail.com
subject =3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DSERVER/CN=3DServer Admin
err 26:unsupported certificate purpose
=3D=3D=3D

=46or clearness:
=3D=3D=3D
$ openssl x509 -subject -issuer -noout -in root.pem
subject=3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DMJR/CN=3DMarkus=20
Rathgeb/emailAddress=3Dmaggu2810@googlemail.com
issuer=3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DMJR/CN=3DMarkus=20
Rathgeb/emailAddress=3Dmaggu2810@googlemail.com

$ openssl x509 -subject -issuer -noout -in serverCA.pem
subject=3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DSERVER/CN=3DServer Admin
issuer=3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DMJR/CN=3DMarkus=20
Rathgeb/emailAddress=3Dmaggu2810@googlemail.com

$ openssl x509 -subject -issuer -noout -in server.pem
subject=3D /C=3DDE/ST=3DBW/L=3DUlm/O=3Dserver-domain1/CN=3Dlocalhost
issuer=3D /C=3DDE/ST=3DBW/L=3DUlm/O=3DSERVER/CN=3DServer Admin
=3D=3D=3D



=2D-=20

Markus Rathgeb
Jabber: maggu2810@jabber.org
Public Key Server: http://wwwkeys.us.pgp.net/ bzw. hkp://wwwkeys.us.pgp.net/

--nextPart4117466.D8g4V0RgCr
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQBHOiISBH8MHVzJ39ERAujaAKCHZdIz02c7RfXJdCwRHg XZTEmdQgCfbul3
7CyJ1cMMuXS5wXqy9vuFka4=
=zrv7
-----END PGP SIGNATURE-----

--nextPart4117466.D8g4V0RgCr--
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org