(Apologies if a duplicate – I think I mis-sent the first attempt.) I wrote a TLS server application that runs under Windows and has been working successfully for years. I am currently using OpenSSL 1.1.0f. When I wrote the code I only supported a single CA file for client certificates. I pass the file name in through SSL_CTX_load_verify_locations CAfile and with CApath NULL. Recently I was asked to add support for multiple CA files. I updated my parameter handling to support a CA path, and I can now pass the path instead using SSL_CTX_load_verify_locations CApath. I am using a client certificate that was signed by my “homegrown” CA (which uses the OpenSSL utility). When I point to the CA .PEM with SSL_CTX_load_verify_locations CAfile it works perfectly. When instead I use CApath to point to a folder that contains only that one .PEM file it fails. My verify callback is driven with -Error with certificate at depth: 1 err 19:self signed certificate in certificate chain error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed:ssl\statem\statem_srvr.c:2893: Yes, the CA certificate is a root certificate and is self-signed. But it works as a CAfile. Can someone give me some guidance here? FWIW I specify SSL_CTX_set_verify(sslContext, SSL_VERIFY_PEER, verify_callback); Thanks, Charles |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
