Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

problem with verifying certificates

655 views
Skip to first unread message

Chris Drumgoole

unread,
May 3, 2001, 5:04:28 PM5/3/01
to
Hi, I am running openssl 0.9.6a on a SunOS2.6 machine.

I installed like so:
./config
make
make test
make install


my problem is, it doesn't seem to be able to verify *any* signed
certificates.

here is an example output from
bin/openssl s_client -host rsaonline.rsasecurity.com -port 443 -showcerts
(I picked rsaonline.... because I would think they would have a valid cert
;-)

output:

CONNECTED(00000004)
depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=Massachusetts/L=Bedford/O=RSA Security
Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Massachusetts/L=Bedford/O=RSA Security
Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
Authority
---
No client certificate CA names sent
---
SSL handshake has read 938 bytes and written 248 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 512 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5

Session-ID: 020000007E424A3D34136D63A38C243A6910211EEA1C39567901AE8A0258D6F5
Session-ID-ctx:

Master-Key: 49D9D45A4F2BCC8D464DFA115B4BD12D66F0A00E7ED820A279BEDF4E9D05D7DF9A3F98E5CD134C7BF5FDC7CD2ADEFEE6
Key-Arg : None
Start Time: 988923327
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

as you can see from the section above the Certificate, it says cert not
trusted, etc...

I am wondering if there is something else I need to do??

thank you in advance!

Chris Drumgoole
email administrator
CAEN, COE, Univ. of Michigan


<q

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Richard Levitte - VMS Whacker

unread,
May 3, 2001, 5:12:15 PM5/3/01
to
From: Chris Drumgoole <cd...@engin.umich.edu>

You have misunderstood how verification is done. What you need to
tell s_server is what issuers you trust by pointing out a store with
their certificates (a PEM file). So, you need to get the certificate
for "OU=Secure Server Certification Authority, O=RSA Data Security, Inc., C=US",
put it in PEM format in a file (say foo.pem) and tell s_server about
that file (-CAfile foo.pem).

cdrum> here is an example output from
cdrum> bin/openssl s_client -host rsaonline.rsasecurity.com -port 443 -showcerts
cdrum> (I picked rsaonline.... because I would think they would have a valid cert
cdrum> ;-)
cdrum>
cdrum> output:
cdrum>
cdrum>
cdrum>
cdrum> CONNECTED(00000004)
cdrum> depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
cdrum> verify error:num=20:unable to get local issuer certificate
cdrum> verify return:1
cdrum> depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
cdrum> verify error:num=27:certificate not trusted
cdrum> verify return:1
cdrum> depth=0 /C=US/ST=Massachusetts/L=Bedford/O=RSA Security
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
cdrum> verify error:num=21:unable to verify the first certificate
cdrum> verify return:1
cdrum> ---
cdrum> Certificate chain
cdrum> 0 s:/C=US/ST=Massachusetts/L=Bedford/O=RSA Security
cdrum> Inc./OU=RSAS-WEB-01/OU=Terms of use at www.verisign.com/rpa (c)00/CN=rsaonline.rsasecurity.com
cdrum> i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification
cdrum> Authority

--
Richard Levitte \ Spannvägen 38, II \ LeV...@stacken.kth.se
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- po...@bofh.se
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.

0 new messages