FW: how to reproduce the error X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
tim.j.culhane at gmail.com
tim.j.culhane at gmail.com
Fri Aug 30 06:59:29 UTC 2019
Hi,
Anybody have any suggestions on my below query.
I've not made myself clear please let me know what extra info would help.
Thanks,
Tim
-----Original Message-----
From: tim.j.culhane at gmail.com <tim.j.culhane at gmail.com>
Sent: Wednesday 21 August 2019 12:41
To: openssl-users at openssl.org
Subject: how to reproduce the error X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN
Hi all,
I'm writing tests to verify how our mail server handles tls errors returned
from the OpenSSL library when verifying a certificate during tls
negotiation.
The test works by sending a message to a source mail server which then
relays the message to the destination mail server.
The operation of relaying the message is done over a secure connection using
port 465.
I want to reproduce a scenario where when the source mailserver opens a
connection to the destination server and carries out a tls negotiation that
the error returned is X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN.
However, no matter what way I try it I always get the similar but different
error:
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
The OpenSSL library version I'm using is 1.1.1c running on a CentOS 7
server.
My current steps are as follows:
Create our own root CA public/private key pair
Then set up two intermediate certs:
For the first intermediate cert create its CA and private key.
Sign it using the root CA's key.
Do the same thin for the second intermediate key but sign it with the first
intermediate key.
I then generate a certificate request for each of the mail servers .
I self sign the certificates and generate the server certificates.
I append the intermediate certificates to the file containing the host
certificate.
These are then installed on each server.
I copy various options of the root CA certificate and the intermediate
certificates into the CACertificates directory of my source mail server.
These will be used when the mail server attempts to negotiate a secure
connection to the destination server.
However, no matter what I try I don't get the
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN returned.
As an experiment I ran the command:
Openssl verify -verbose -untrusted <root CA cert> <intermediate cert>
And that does reproduce the correct error.
Any idea how I can get OpenSSL to return my dsired error?
Hopefully my above description makes sense.
Many thanks,
Tim
More information about the openssl-users
mailing list