From: Amos Gouaux <[EMAIL PROTECTED]>
Date: Sun, 19 Aug 2001 20:46:26 -0500
If I do this instead of using tls_ca_file, using the same cert
(vsignss.pem) that's included with openssl, I get the same results:
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
The "self signed certificate" error is a local _client_ configuration
problem. (The local client isn't trusting the Verisign root
certificate.)
I also posted a similar query on the openssl list and this is what
Lutz Jaenicke <[EMAIL PROTECTED]> had to say:
This error message tells you, that the chain is complete (the verification
process reaches the root CA chain and finds it to be sel signed).
However the verification cannot succeed, as the root CA certificate must
be available as a local copy for verification purposes.
From the API point of view, this is achieved by loading it using
SSL_CTX_load_verify_locations()
Again, on the client side.
$ imtest -t "" -m plain localhost
C: C01 CAPABILITY
S: * OK andromeda Cyrus IMAP4 v2.1.0pre server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT CHILDREN MULTIAPPEND SORT THREAD=ORDEREDSUBJECT
THREAD=REFERENCES IDLE STARTTLS X-NETSCAPE
S: C01 OK Completed
S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
SSL_connect error -1
SSL session removed
TLS negotiation failed!
C: C01 CAPABILITY
S: 01S: * BAD Invalid tag
This looks kinda like what chirs charter is experiencing, maybe?
The "self signed certificate" error isn't a fatal error for imtest.
For instance, I get:
S01 OK Begin TLS negotiation now
verify error:num=19:self signed certificate in certificate chain
TLS connection established: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
C: C01 CAPABILITY
I don't know why SSL_connect is failing. You have TLS working for you
with a self-signed certificate?
Larry
