[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

Charles Mills charlesm at mcn.org
Mon Dec 3 00:43:17 UTC 2018


Sorry, I do not have a packet capture tool configured.

I have a verify callback with a lot of trace messages. I can see that it is
only entered once; X509_STORE_CTX_get_error_depth() is 1.

Does that tell us anything useful?

Charles


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Kyle Hamilton
Sent: Saturday, December 1, 2018 10:29 PM
To: openssl-users
Subject: Re: [openssl-users] Self-signed error when using
SSL_CTX_load_verify_locations CApath

Wireshark and other packet capture tools can help you determine
exactly what's in the chain sent by the client.  If the self-signed
root isn't being sent, then the "self-signed certificate in
certificate chain" error should never have been sent, and a bug report
on that issue would be appropriate.

If the root is being sent, though, having some idea of what you're
doing when constructing your sessions could help us to figure out why
it is when you didn't intend it to be.

-Kyle H
On Sat, Dec 1, 2018 at 1:47 PM Charles Mills <charlesm at mcn.org> wrote:
>
> > It was found in the chain of certificates sent by the client to the
> > server for validation
>
> Again, I could be wrong but that is my point. I do not think the client is
> sending a chain of certificates, but rather only one, the CA-signed client
> certificate. (I wrote and configured the client, and generated the
> certificate, and loaded it into the certificate store.)
>
> Charles
>
> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
Of
> Viktor Dukhovni
> Sent: Saturday, December 1, 2018 12:47 PM
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] Self-signed error when using
> SSL_CTX_load_verify_locations CApath
>
> On Sat, Dec 01, 2018 at 12:29:42PM -0800, Charles Mills wrote:
>
> > I could easily be wrong -- you guys know more about certificates than I
> ever
> > will -- but I do not *think* there is any self-signed certificate in
this
> > scenario. There should be exactly two certificates in this discussion:
> >
> > 1. The client certificate. It is not self-signed (in the correct sense
of
> > the term, as opposed to the erroneous popular sense): it is signed by my
> > "in-house" CA.
> >
> > 2. The CA certificate. Yes, it is a root and self-signed, but you didn't
> > find it, right?
>
> You seem to be stuck on a narrow meaning of the word "found".  The
> self-signed certificate *was* found, but not in the trust-store.
>
> It was found in the chain of certificates sent by the client to the
> server for validation.  That's what the error message is telling
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



More information about the openssl-users mailing list