how to reproduce the error X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN

tim.j.culhane at gmail.com tim.j.culhane at gmail.com
Wed Aug 21 11:41:04 UTC 2019 

Hi all,

I'm writing tests to verify how our mail server handles tls errors returned
from the OpenSSL library when verifying a certificate during tls
negotiation.

The test works by sending a message to a source mail server which then
relays the message  to the destination mail server.
The operation of relaying the message is done over a secure connection using
port 465.

I want to reproduce a scenario where  when the source mailserver opens a
connection to the destination server and carries out a tls negotiation that
the error returned is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN.

However, no matter what way I try it I always get the similar but different
error:

X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT


The OpenSSL library version I'm using is 1.1.1c running on a CentOS 7
server.


My current steps are as follows:

Create our own root CA  public/private key pair

Then set up  two intermediate certs:

For the  first intermediate cert  create its CA  and private key.
Sign it using the root CA's key.

Do the same thin for the second intermediate key  but sign it with the first
intermediate key.

I then generate a certificate request  for each of the mail servers .
I self sign the certificates and generate the server certificates.
I append the intermediate certificates to the  file containing the host
certificate.
These are then installed on each server.


I copy various options of  the root CA certificate and the  intermediate
certificates into the CACertificates directory of my source mail server.
These will be used when the  mail server  attempts to negotiate a secure
connection to the destination server.

However, no matter what I try I don't get the
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN returned.

As an experiment I ran the command:

Openssl verify -verbose -untrusted <root CA cert> <intermediate cert>

And that does reproduce  the  correct error.


Any idea how I can get OpenSSL to return my dsired error?

Hopefully my above description makes sense.

Many thanks,

Tim

More information about the openssl-users mailing list