[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath
Charles Mills
charlesm at mcn.org
Fri Nov 30 17:47:24 UTC 2018
(Apologies if a duplicate - I think I mis-sent the first attempt.)
I wrote a TLS server application that runs under Windows and has been
working successfully for years. I am currently using OpenSSL 1.1.0f. When I
wrote the code I only supported a single CA file for client certificates. I
pass the file name in through SSL_CTX_load_verify_locations CAfile and with
CApath NULL. Recently I was asked to add support for multiple CA files. I
updated my parameter handling to support a CA path, and I can now pass the
path instead using SSL_CTX_load_verify_locations CApath.
I am using a client certificate that was signed by my "homegrown" CA (which
uses the OpenSSL utility). When I point to the CA .PEM with
SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use
CApath to point to a folder that contains only that one .PEM file it fails.
My verify callback is driven with
-Error with certificate at depth: 1
err 19:self signed certificate in certificate chain
error:1417C086:SSL routines:tls_process_client_certificate:certificate
verify failed:ssl\statem\statem_srvr.c:2893:
Yes, the CA certificate is a root certificate and is self-signed. But it
works as a CAfile. Can someone give me some guidance here?
FWIW I specify SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER,
verify_callback);
Thanks,
Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181130/e9e8d911/attachment.html>
More information about the openssl-users
mailing list