[Devel] Re: [Users] Multiple CA

Klaus Darilion klaus.mailinglists at pernau.at
Fri Nov 10 11:50:18 CET 2006


Hi Gregoire!

I've tested it and it works for me without problems. Maybe there is a 
typo in your CA file? I'm having 2 CAs in my ca file - see below.

regards
klaus

root at pb94:/home/cert# cat CA.crt
adrians ag-project CA cert
-----BEGIN CERTIFICATE-----
MIIEpzCCA4+gAwIBAgIJAKd1Wdd9aFZyMA0GCSqGSIb3DQEBBQUAMIGXMRwwGgYD
VQQDExNBRyBQcm9qZWN0cyBSb290IENBMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5k
MQswCQYDVQQGEwJOTDEUMBIGA1UEChMLQUcgUHJvamVjdHMxFDASBgNVBAsTC01h
bmFnZWQgRE5TMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGFnLXByb2plY3RzLmNv
bTAeFw0wNTEwMzEwNzE4NTZaFw0yNDEyMzAwNzE4NTZaMIGXMRwwGgYDVQQDExNB
RyBQcm9qZWN0cyBSb290IENBMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMQswCQYD
VQQGEwJOTDEUMBIGA1UEChMLQUcgUHJvamVjdHMxFDASBgNVBAsTC01hbmFnZWQg
RE5TMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGFnLXByb2plY3RzLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZoTrGdeLrCOuNE6qMdVaMmYNpv
wSWbu7BXsx6FmRQIIcVgeQWLcPyHMpgbTAvNcpKVfytPsNU23h22hTuDe7SnIwuQ
R+8//WR3PqZRXQUqhTxLB7xYleYVy+JJZzxHmyworv9Prvzd75j7d/LaZDmfMBp6
qMW/rQkpIrw0f2x55hIciHdIVmPtturVBPuEspcCxM+ZgANSlWmPqLRSIZLvAbwH
mWtnA9KwU+fjI9LKKS1aLtOeAKCt9GJEYby4VzO8oOvi6+kVx5izAFKjJAbYDi3c
XmQwtsm9i4RZn3qo7lHL6AMOv0AG9rpl2uMrcUHgAlMwBT4+iyDn5k+M/kMCAwEA
AaOB8zCB8DAMBgNVHRMEBTADAQH/MEgGA1UdEQRBMD+BF3N1cHBvcnRAYWctcHJv
amVjdHMuY29thiRodHRwczovL3NlY3VyZS5kbnMtaG9zdGluZy5pbmZvL3Rscy8w
IgYJYIZIAYb4QgENBBUWE0FHIFByb2plY3RzIFJvb3QgQ0EwPQYJYIZIAYb4QgEE
BDAWLmh0dHBzOi8vc2VjdXJlLmRucy1ob3N0aW5nLmluZm8vdGxzL2NhLWNybC5w
ZW0wMwYJYIZIAYb4QgECBCYWJGh0dHBzOi8vc2VjdXJlLmRucy1ob3N0aW5nLmlu
Zm8vdGxzLzANBgkqhkiG9w0BAQUFAAOCAQEAneADorwHv5pmkW1q1JjIPZv/9dRC
uTHifZVbJLQCn4lSmWlxtudJmkvCpYhsDucs39i6LrpFPH4MEl1FP0b1o/plh+Uv
E6qGaC3bgszb2StLpkY3tou4Xh9QwSJrel6X9RP3p6Lr+COvplblkl6K+xXAmowQ
Bn8KYF4P8d8tp0iWbV1sUgQyPVBNsS/2KeSnA/n4+5kbsRVQjiTBW6WM3NBpCrYi
nboFV7s07mFEAd8iFSIunpRE6P1PSRJ+G2udweokC3zSQRnL2pWd+EmqB7xto/ZC
TT4IGrW/PiAkWHNRxCIZ4RKkeQ1TLRjDPbFOFxJJhysexWNpZKyaE1TqsQ==
-----END CERTIFICATE-----

"/etc/certs/fedA/demoCA/cacert.pem" von server1
-----BEGIN CERTIFICATE-----
MIIDwTCCAqmgAwIBAgIJAN6Cdw/E8q5rMA0GCSqGSIb3DQEBBQUAMEkxCzAJBgNV
BAYTAkFVMQswCQYDVQQIEwJhdDEPMA0GA1UEBxMGVmllbm5hMQ0wCwYDVQQKEwRm
ZWRBMQ0wCwYDVQQDEwRmZWRBMB4XDTA2MDQwMjEyNDIxNVoXDTA3MDQwMjEyNDIx
NVowSTELMAkGA1UEBhMCQVUxCzAJBgNVBAgTAmF0MQ8wDQYDVQQHEwZWaWVubmEx
DTALBgNVBAoTBGZlZEExDTALBgNVBAMTBGZlZEEwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQCp3lvLGBwO0TxPeKvNabhkGztO+MLhr9dT7Qyv82JYytJs
g6uuH13GFI8JAWshdW3m0jlTm3yZY2fgTwsdDGAEVh7h1vJ9OBal746U0mgDyHDf
NBkkV4RN8B8LvHzpDWZCeZ8jejHex16P16VLphcaS+Ckd2/m/1tGODdEFSbEITjn
Fw1A3mycWqwOwiUByFYJq2GKjVf0C2Hhi7fNW8NLAePvd8zEavuizs0RI9tIJRf6
7EW2RqryOAqg8IYgMa63xnkKECgiBrUWC1wDdrLyhX1Ti/AhzrrZibp6hgUXw1J0
08lbYStNjBD8AEXfakxyKDlc885HTQRFs0EYiuilAgMBAAGjgaswgagwHQYDVR0O
BBYEFBnNssTPeOxMizyo+YHYeTgmaVZ8MHkGA1UdIwRyMHCAFBnNssTPeOxMizyo
+YHYeTgmaVZ8oU2kSzBJMQswCQYDVQQGEwJBVTELMAkGA1UECBMCYXQxDzANBgNV
BAcTBlZpZW5uYTENMAsGA1UEChMEZmVkQTENMAsGA1UEAxMEZmVkQYIJAN6Cdw/E
8q5rMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIOY0q67dMDHgxNG
yE1lmSCsnVPpvQksbj2AoCo2eTcExOzfCdltQj0sd8KilE6J1QlvqvFJKulU6o3b
AS5FCPGJuUPJGyNAaDFe+BktRIGf/c5OaqUYvEpnr5+ioP+oMzkBuOefN1cev5rH
X+oC8DeX5yJQFq5dWTcLxME86ScoQ6c3sDTo0oiCI1nAAhvM/Z/N/rYItqc/ykky
4syHWiBukXscXKaTCvaafRvKenGczKmIpAf/GJ6+BCK/vl0GIOSmGMbErYvkB3dM
PMpOjgNzr4WvCWig5PSUjCZsih85dYYp/LvodTVmWInNC6OvlEXxPi/jYQcdEYkz
VTIRKmw=
-----END CERTIFICATE-----

root at pb94:/home/cert#






Klaus Darilion wrote:
> Hi Gregoire!
> 
> Sorry for the late response - I was at the Openser Summit.
> 
> Regarding you problem: openser uses SSL_CTX_load_verify_locations(..) to 
> load the CA. As the docs say 
> (http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html) al 
> the CAs in this file will be used:
> 
> ...
> If CAfile is not NULL, it points to a file of CA certificates in PEM 
> format. The file can contain several CA certificates identified by
> 
>  -----BEGIN CERTIFICATE-----
>  ... (CA certificate in base64 encoding) ...
>  -----END CERTIFICATE-----
> 
> sequences. Before, between, and after the certificates text is allowed 
> which can be used e.g. for descriptions of the certificates.
> ...
> 
> 
> 
> Thus, it should work out of the box. I will try it myself.
> 
> regards
> klaus
> 
> Gregoire wrote:
>> Hi!
>> When a single CA is in the file, there is no problem. But when I put
>> multiple CAs, only the first one is taken. OpenSER doesn't care about
>> the others.
>>
>> Greg
>> Klaus Darilion wrote:
>>
>>> Hi Greg!
>>>
>>> I have not tested this, but from reading the openssl docs I had the
>>> feeling that all the CAs in the ca-file will be used.
>>>
>>> Is the CA the only one in the ca-file or are the multiple CAs in the
>>> ca-file? Can you try if it works when using only a single CA in the
>>> ca-file?
>>>
>>> regards
>>> klaus
>>>
>>>
>>> On Sun, November 5, 2006 20:39, Gregoire said:
>>>  
>>>
>>>> Hi everybody!
>>>>
>>>> I am using OpenSER 1.1 with TLS.
>>>> I have generate the client and server certificate with the scripts
>>>> gen_rootCA.sh and gen_usercert.sh.
>>>> Everything works fine, but I have generate certificate for my UA with
>>>> another CA and I have added this CA to the file user-cacert.pem.
>>>> When I try to connect with my UA, OpenSER logs an error like:
>>>>
>>>> "tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
>>>> unknown ca"
>>>>
>>>> My file user-cacert.pem looks like:
>>>> -------BEGIN CERTIFICATE------
>>>> MAOIposio.....
>>>> --------END CERTIFICATE--------
>>>> -------BEGIN CERTIFICATE------
>>>> MJ809il......
>>>> --------END CERTIFICATE--------
>>>>
>>>> I think that OpenSER takes only the first CA certificate and not all 
>>>> the
>>>> followings.
>>>>
>>>> Did someone have some experience with that case?
>>>>
>>>> Regards
>>>>
>>>> Greg
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openser.org
>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>
>>>>   
>>>
>>>
>>>  
>>>
>>
> 
> 


-- 
Klaus Darilion
nic.at




More information about the Devel mailing list