Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Verifying self-signed certificate

420 views
Skip to first unread message

iruvo...@hushmail.com

unread,
Nov 29, 2010, 5:55:18 AM11/29/10
to
Greetings,

I guess this question must have been asked quite a lot over here,
but I couldn't find any traces of it
so I guess I'll repeat it.

I can't seem to be able to verify (using 'openssl verify') -
without openssl spitting a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT -
a server certificate that was signed with a custom-made CA even
though I pass the CA certificate using the -CAfile switch.
I've tried -purpose and also using -CApath instead of -CAfile but
to no avail.

Is this a feature, a bug or am I just doing it wrong?

Shouldn't a self-signed certificate get verified when a user
_manually_ also passes a certificate he considers trusted?

Also, is there any documentation on how SSL_CTX_set_cert_store() be
used? It seems to me that it's the correct way to validate
a self-signed certificate through the OpenSSL API.

Many thanks!

PS: Sorry, if this reaches the mailing list multiple times, I
screwed up a bit :)

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

iruvo...@hushmail.com

unread,
Nov 28, 2010, 7:12:14 PM11/28/10
to
Greetings,

I guess this question must have been asked quite a lot over here,
but I couldn't find any traces of it
so I guess I'll repeat it.

I can't seem to be able to verify (using 'openssl verify') -
without openssl spitting a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT -
a server certificate that was signed with a custom-made CA even
though I pass the CA certificate using the -CAfile switch.
I've tried -purpose and also using -CApath instead of -CAfile but
to no avail.

Is this a feature, a bug or am I just doing it wrong?

Shouldn't a self-signed certificate get verified when a user
_manually_ also passes a certificate he considers trusted?

Also, is there any documentation on how SSL_CTX_set_cert_store() be
used? It seems to me that it's the correct way to validate
a self-signed certificate through the OpenSSL API.

Many thanks!

Dr. Stephen Henson

unread,
Nov 29, 2010, 1:05:43 PM11/29/10
to
On Mon, Nov 29, 2010, iruvo...@hushmail.com wrote:

> Greetings,
>
> I guess this question must have been asked quite a lot over here,
> but I couldn't find any traces of it
> so I guess I'll repeat it.
>
> I can't seem to be able to verify (using 'openssl verify') -
> without openssl spitting a X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT -
> a server certificate that was signed with a custom-made CA even
> though I pass the CA certificate using the -CAfile switch.
> I've tried -purpose and also using -CApath instead of -CAfile but
> to no avail.
>
> Is this a feature, a bug or am I just doing it wrong?
>

Impossible to tell without seeing the actual certificate and the precise
command line you use.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

iruvo...@hushmail.com

unread,
Nov 29, 2010, 5:41:19 PM11/29/10
to
>User Support Mailing List openssl-
>us...@openssl.org
>Automated List Manager
>majo...@openssl.org

Greetings!

I'm doing nothing funky:
$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
$ openssl genrsa -des3 -out server.key 4096
$ openssl req -new -key server.key -out server.csr
$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -
set_serial 01 -out server.crt

Giving to every option (company name, etc.) the default value:
So for example, my server.crt's issuer line is:
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
and my ca.crt's subject line is:
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd

I'm trying to verify them with something like that:
"
$ openssl verify -CAfile ca.crt server.crt
server.crt: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
error 18 at 0 depth lookup:self signed certificate
OK
"
but like I said in my original post I've tried the -purpose
-CApath etc. switches as well.

Can you reproduce this?

Thank you very much for the reply!

Dr. Stephen Henson

unread,
Nov 29, 2010, 6:36:16 PM11/29/10
to
On Tue, Nov 30, 2010, iruvo...@hushmail.com wrote:

> On Mon, 29 Nov 2010 20:05:43 +0200 "Dr. Stephen Henson"
> <st...@openssl.org> wrote:
> Greetings!
>
> I'm doing nothing funky:
> $ openssl genrsa -des3 -out ca.key 4096
> $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
> $ openssl genrsa -des3 -out server.key 4096
> $ openssl req -new -key server.key -out server.csr
> $ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -
> set_serial 01 -out server.crt
>
> Giving to every option (company name, etc.) the default value:
> So for example, my server.crt's issuer line is:
> Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
> and my ca.crt's subject line is:
> Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
>

Well that's one problem, if your certificates have the same issuer and subject
names then you'll end up with what looks like a self-signed certificate. Try
giving the server certificate different values from the CA.

If there were any extensions in the server certificate that wouldn't happen
but the command you create the server certificate with doesn't include any and
ends up creating the deprecated V1 certificate format.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

iruvo...@hushmail.com

unread,
Nov 30, 2010, 7:40:36 PM11/30/10
to

On Tue, 30 Nov 2010 01:36:16 +0200 "Dr. Stephen Henson"

>User Support Mailing List openssl-
>us...@openssl.org
>Automated List Manager
>majo...@openssl.org

Heh, I didn't think of this :)

Thank you very much, it's now working!

0 new messages