Hi Gregoire!
I've tested it and it works for me without problems. Maybe there is a
typo in your CA file? I'm having 2 CAs in my ca file - see below.
regards
klaus
root@pb94:/home/cert# cat CA.crt
adrians ag-project CA cert
-----BEGIN CERTIFICATE-----
MIIEpzCCA4+gAwIBAgIJAKd1Wdd9aFZyMA0GCSqGSIb3DQEBBQUAMIGXMRwwGgYD
VQQDExNBRyBQcm9qZWN0cyBSb290IENBMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5k
MQswCQYDVQQGEwJOTDEUMBIGA1UEChMLQUcgUHJvamVjdHMxFDASBgNVBAsTC01h
bmFnZWQgRE5TMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGFnLXByb2plY3RzLmNv
bTAeFw0wNTEwMzEwNzE4NTZaFw0yNDEyMzAwNzE4NTZaMIGXMRwwGgYDVQQDExNB
RyBQcm9qZWN0cyBSb290IENBMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMQswCQYD
VQQGEwJOTDEUMBIGA1UEChMLQUcgUHJvamVjdHMxFDASBgNVBAsTC01hbmFnZWQg
RE5TMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGFnLXByb2plY3RzLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZoTrGdeLrCOuNE6qMdVaMmYNpv
wSWbu7BXsx6FmRQIIcVgeQWLcPyHMpgbTAvNcpKVfytPsNU23h22hTuDe7SnIwuQ
R+8//WR3PqZRXQUqhTxLB7xYleYVy+JJZzxHmyworv9Prvzd75j7d/LaZDmfMBp6
qMW/rQkpIrw0f2x55hIciHdIVmPtturVBPuEspcCxM+ZgANSlWmPqLRSIZLvAbwH
mWtnA9KwU+fjI9LKKS1aLtOeAKCt9GJEYby4VzO8oOvi6+kVx5izAFKjJAbYDi3c
XmQwtsm9i4RZn3qo7lHL6AMOv0AG9rpl2uMrcUHgAlMwBT4+iyDn5k+M/kMCAwEA
AaOB8zCB8DAMBgNVHRMEBTADAQH/MEgGA1UdEQRBMD+BF3N1cHBvcnRAYWctcHJv
amVjdHMuY29thiRodHRwczovL3NlY3VyZS5kbnMtaG9zdGluZy5pbmZvL3Rscy8w
IgYJYIZIAYb4QgENBBUWE0FHIFByb2plY3RzIFJvb3QgQ0EwPQYJYIZIAYb4QgEE
BDAWLmh0dHBzOi8vc2VjdXJlLmRucy1ob3N0aW5nLmluZm8vdGxzL2NhLWNybC5w
ZW0wMwYJYIZIAYb4QgECBCYWJGh0dHBzOi8vc2VjdXJlLmRucy1ob3N0aW5nLmlu
Zm8vdGxzLzANBgkqhkiG9w0BAQUFAAOCAQEAneADorwHv5pmkW1q1JjIPZv/9dRC
uTHifZVbJLQCn4lSmWlxtudJmkvCpYhsDucs39i6LrpFPH4MEl1FP0b1o/plh+Uv
E6qGaC3bgszb2StLpkY3tou4Xh9QwSJrel6X9RP3p6Lr+COvplblkl6K+xXAmowQ
Bn8KYF4P8d8tp0iWbV1sUgQyPVBNsS/2KeSnA/n4+5kbsRVQjiTBW6WM3NBpCrYi
nboFV7s07mFEAd8iFSIunpRE6P1PSRJ+G2udweokC3zSQRnL2pWd+EmqB7xto/ZC
TT4IGrW/PiAkWHNRxCIZ4RKkeQ1TLRjDPbFOFxJJhysexWNpZKyaE1TqsQ==
-----END CERTIFICATE-----
"/etc/certs/fedA/demoCA/cacert.pem" von server1
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIJAN6Cdw/E8q5rMA0GCSqGSIb3DQEBBQUAMEkxCzAJBgNV
BAYTAkFVMQswCQYDVQQIEwJhdDEPMA0GA1UEBxMGVmllbm5hMQ0wCwYDVQQKEwRm
ZWRBMQ0wCwYDVQQDEwRmZWRBMB4XDTA2MDQwMjEyNDIxNVoXDTA3MDQwMjEyNDIx
NVowSTELMAkGA1UEBhMCQVUxCzAJBgNVBAgTAmF0MQ8wDQYDVQQHEwZWaWVubmEx
DTALBgNVBAoTBGZlZEExDTALBgNVBAMTBGZlZEEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCp3lvLGBwO0TxPeKvNabhkGztO+MLhr9dT7Qyv82JYytJs
g6uuH13GFI8JAWshdW3m0jlTm3yZY2fgTwsdDGAEVh7h1vJ9OBal746U0mgDyHDf
NBkkV4RN8B8LvHzpDWZCeZ8jejHex16P16VLphcaS+Ckd2/m/1tGODdEFSbEITjn
Fw1A3mycWqwOwiUByFYJq2GKjVf0C2Hhi7fNW8NLAePvd8zEavuizs0RI9tIJRf6
7EW2RqryOAqg8IYgMa63xnkKECgiBrUWC1wDdrLyhX1Ti/AhzrrZibp6hgUXw1J0
08lbYStNjBD8AEXfakxyKDlc885HTQRFs0EYiuilAgMBAAGjgaswgagwHQYDVR0O
BBYEFBnNssTPeOxMizyo+YHYeTgmaVZ8MHkGA1UdIwRyMHCAFBnNssTPeOxMizyo
+YHYeTgmaVZ8oU2kSzBJMQswCQYDVQQGEwJBVTELMAkGA1UECBMCYXQxDzANBgNV
BAcTBlZpZW5uYTENMAsGA1UEChMEZmVkQTENMAsGA1UEAxMEZmVkQYIJAN6Cdw/E
8q5rMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIOY0q67dMDHgxNG
yE1lmSCsnVPpvQksbj2AoCo2eTcExOzfCdltQj0sd8KilE6J1QlvqvFJKulU6o3b
AS5FCPGJuUPJGyNAaDFe+BktRIGf/c5OaqUYvEpnr5+ioP+oMzkBuOefN1cev5rH
X+oC8DeX5yJQFq5dWTcLxME86ScoQ6c3sDTo0oiCI1nAAhvM/Z/N/rYItqc/ykky
4syHWiBukXscXKaTCvaafRvKenGczKmIpAf/GJ6+BCK/vl0GIOSmGMbErYvkB3dM
PMpOjgNzr4WvCWig5PSUjCZsih85dYYp/LvodTVmWInNC6OvlEXxPi/jYQcdEYkz
VTIRKmw=
-----END CERTIFICATE-----
root@pb94:/home/cert#
Klaus Darilion wrote:
Hi Gregoire!
Sorry for the late response - I was at the Openser Summit.
Regarding you problem: openser uses SSL_CTX_load_verify_locations(..) to
load the CA. As the docs say
(
http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html) al
the CAs in this file will be used:
...
If CAfile is not NULL, it points to a file of CA certificates in PEM
format. The file can contain several CA certificates identified by
-----BEGIN CERTIFICATE-----
... (CA certificate in base64 encoding) ...
-----END CERTIFICATE-----
sequences. Before, between, and after the certificates text is allowed
which can be used e.g. for descriptions of the certificates.
...
Thus, it should work out of the box. I will try it myself.
regards
klaus
Gregoire wrote:
Hi!
When a single CA is in the file, there is no problem. But when I put
multiple CAs, only the first one is taken. OpenSER doesn't care about
the others.
Greg
Klaus Darilion wrote:
Hi Greg!
I have not tested this, but from reading the openssl docs I had the
feeling that all the CAs in the ca-file will be used.
Is the CA the only one in the ca-file or are the multiple CAs in the
ca-file? Can you try if it works when using only a single CA in the
ca-file?
regards
klaus
On Sun, November 5, 2006 20:39, Gregoire said:
Hi everybody!
I am using OpenSER 1.1 with TLS.
I have generate the client and server certificate with the scripts
gen_rootCA.sh and gen_usercert.sh.
Everything works fine, but I have generate certificate for my UA with
another CA and I have added this CA to the file user-cacert.pem.
When I try to connect with my UA, OpenSER logs an error like:
"tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca"
My file user-cacert.pem looks like:
-------BEGIN CERTIFICATE------
MAOIposio.....
--------END CERTIFICATE--------
-------BEGIN CERTIFICATE------
MJ809il......
--------END CERTIFICATE--------
I think that OpenSER takes only the first CA certificate and not all
the
followings.
Did someone have some experience with that case?
Regards
Greg
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users