[openssl-users] Self-signed error when using SSL_CTX_load_verify_locations CApath

[Charles Mills]

(Apologies if a duplicate - I think I mis-sent the first attempt.)

 

I wrote a TLS server application that runs under Windows and has been
working successfully for years. I am currently using OpenSSL 1.1.0f. When I
wrote the code I only supported a single CA file for client certificates. I
pass the file name in through SSL_CTX_load_verify_locations CAfile and with
CApath NULL. Recently I was asked to add support for multiple CA files. I
updated my parameter handling to support a CA path, and I can now pass the
path instead using SSL_CTX_load_verify_locations CApath.

 

I am using a client certificate that was signed by my "homegrown" CA (which
uses the OpenSSL utility). When I point to the CA .PEM with
SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use
CApath to point to a folder that contains only that one .PEM file it fails.
My verify callback is driven with

 

-Error with certificate at depth: 1

err 19:self signed certificate in certificate chain

error:1417C086:SSL routines:tls_process_client_certificate:certificate
verify failed:ssl\statem\statem_srvr.c:2893:

 

Yes, the CA certificate is a root certificate and is self-signed. But it
works as a CAfile. Can someone give me some guidance here?

 

FWIW I specify SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER,
verify_callback);

 

Thanks,

 

Charles

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181130/e9e8d911/attachment.html>