On Sun, 2013-12-08 at 03:53 +0800, Karl wrote: > Yes, sure, ca-cert set, log shows "[main] processed 1 CA > certificate(s)", and the cert-user-oid set to use CN too, but no luck. Try verifying the certificate that is sent by the client manually using certtool and the CA file. What is the output? If it is verified correctly try enabling debugging (--tls-debug) in ocserv to pin-point the issue, and if it is not obvious send the relevant parts of the log here. As I see you error is not a verification failure, but a failure of the verification function which is quite uncommon. regards, Nikos
