Certificate Authentication using OSSL not working?

ruby-talk
1

Hello everyone,

I am using OpenSSL 0.2.0-pre0 for Ruby and
i am trying to understand the examples. Currently,
there is a need for any connecting clients to present
their certificate and the server to check these against
the signing CA.

    I created the signing 'CA' certificate with

the gen_ca_cert.rb and then created an example client
certificate using the gen_cert.rb. Then copied them
into the ssl example directory and went and ran the server with
./svr.rb -C 0cert.pem -v (telling the server to use the
CA certificate and also to verify the clients) and then
tried to connect up using ./cli.rb -c 1cert.pem -k 1key.pem

    However, whenever the client starts up, I type

in the password, but always get that the client can
not be verified. Am i doing something wrong or is there
any ‘features’ in the current release that stop this
from being possible ? (hope not)

    Btw, in the server example code, if i pass in -C then it

crashes at roughly line 32, where it says ssl.ca_file = ca_cert
guess thats a typo and that it should read ctx.ca_file = ca_cert ??

regards and many thanks
Stef Telford stef@chronozon.artofdns.com

2

Hi, Stef,

From: “Stef Telford” stef@chronozon.artofdns.com
Sent: Saturday, March 22, 2003 7:42 AM

I am using OpenSSL 0.2.0-pre0 for Ruby and
i am trying to understand the examples. Currently,
there is a need for any connecting clients to present
their certificate and the server to check these against
the signing CA.

    I created the signing 'CA' certificate with

the gen_ca_cert.rb and then created an example client
certificate using the gen_cert.rb. Then copied them
into the ssl example directory and went and ran the server with
./svr.rb -C 0cert.pem -v (telling the server to use the
CA certificate and also to verify the clients) and then
tried to connect up using ./cli.rb -c 1cert.pem -k 1key.pem

    However, whenever the client starts up, I type

in the password, but always get that the client can
not be verified. Am i doing something wrong or is there
any ‘features’ in the current release that stop this
from being possible ? (hope not)

I’m using ossl-0.2.0-pre2 and succeeded to verify with a little
change. Issuer of gen_cert.rb-generated cert seems to be wrong.
Change
new.issuer = Name.new(name)
part of gen_cert.rb to
new.issuer = ca.subject

    Btw, in the server example code, if i pass in -C then it

crashes at roughly line 32, where it says ssl.ca_file = ca_cert
guess thats a typo and that it should read ctx.ca_file = ca_cert ??

Should be.

Regards,
// NaHi