[Users] Multiple CA

Klaus Darilion klaus.mailinglists at pernau.at
Fri Nov 10 10:05:25 CET 2006


Hi Gregoire!

Sorry for the late response - I was at the Openser Summit.

Regarding you problem: openser uses SSL_CTX_load_verify_locations(..) to 
load the CA. As the docs say 
(http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html) al 
the CAs in this file will be used:

...
If CAfile is not NULL, it points to a file of CA certificates in PEM 
format. The file can contain several CA certificates identified by

  -----BEGIN CERTIFICATE-----
  ... (CA certificate in base64 encoding) ...
  -----END CERTIFICATE-----

sequences. Before, between, and after the certificates text is allowed 
which can be used e.g. for descriptions of the certificates.
...



Thus, it should work out of the box. I will try it myself.

regards
klaus

Gregoire wrote:
> Hi!
> When a single CA is in the file, there is no problem. But when I put
> multiple CAs, only the first one is taken. OpenSER doesn't care about
> the others.
> 
> Greg
> Klaus Darilion wrote:
> 
>> Hi Greg!
>>
>> I have not tested this, but from reading the openssl docs I had the
>> feeling that all the CAs in the ca-file will be used.
>>
>> Is the CA the only one in the ca-file or are the multiple CAs in the
>> ca-file? Can you try if it works when using only a single CA in the
>> ca-file?
>>
>> regards
>> klaus
>>
>>
>> On Sun, November 5, 2006 20:39, Gregoire said:
>>  
>>
>>> Hi everybody!
>>>
>>> I am using OpenSER 1.1 with TLS.
>>> I have generate the client and server certificate with the scripts
>>> gen_rootCA.sh and gen_usercert.sh.
>>> Everything works fine, but I have generate certificate for my UA with
>>> another CA and I have added this CA to the file user-cacert.pem.
>>> When I try to connect with my UA, OpenSER logs an error like:
>>>
>>> "tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
>>> unknown ca"
>>>
>>> My file user-cacert.pem looks like:
>>> -------BEGIN CERTIFICATE------
>>> MAOIposio.....
>>> --------END CERTIFICATE--------
>>> -------BEGIN CERTIFICATE------
>>> MJ809il......
>>> --------END CERTIFICATE--------
>>>
>>> I think that OpenSER takes only the first CA certificate and not all the
>>> followings.
>>>
>>> Did someone have some experience with that case?
>>>
>>> Regards
>>>
>>> Greg
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>>    
>>>
>>
>>
>>  
>>
> 


-- 
Klaus Darilion
nic.at





More information about the Users mailing list