I searched through the list of certificates that you have sent but could not find the issuer certificate for client1ica1.test.com.pem.
E:\ssl\install\test\tls\test.com>openssl x509 -issuer -in client1ica1.test.com.pem -noout issuer= /C=US/ST=CO/L=Denver/O=CCG/OU=XCP/CN=ica1.test.com Unless the server has access to a certificate whose subject is "/C=US/ST=CO/L=Denver/O=CCG/OU=XCP/CN=ica1.test.com", certificate verification would fail. depth=0 C = US, ST = CO, L = Denver, O = CCG, OU = XCP, CN = client1ica1.test.com verify error:num=20:unable to get local issuer certificate Thanks, Sandeep On Wed, Jun 1, 2011 at 10:40 AM, Mary Zhang <[email protected]> wrote: > In fact, I just found that openssl s_sever gives same result of untrusted > client cert - I forgot to specify "Verify" option to require client auth. > > It looks like the s_client didn't send the certificate chain from the > client cert file to server side, and the server cannot build the chain for > validation. > However, if I add client's intermediate CA to server's ca file (the root ca > always there), then it works. > > Double check, should the cert chain be sent over by client and server only > need have the root ca in its ca file? Or server need include the > intermediate CA in its ca file directly? > > And how can I force s_client to send the cert chain to server if it's > supported? > > BTW, my test certs are attached (created using xca), my test cmds are: > > openssl s_server -cert tls/example.com/cert.pem -CAfile tls/ > test.com/ca.pem -accept 8888 -Verify 10 > openssl s_client -connect localhost:8888 -msg -showcerts -cert > client1ica1.test.com.pem > > > Thanks! > > Mary > > > On Sat, May 28, 2011 at 10:42 AM, sandeep kiran p <[email protected] > > wrote: > >> Can you verify the client certificate using "openssl verify" with -CApath >> and -CAfile similar to what you have used in >> >> SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) >> >> Does it work if you specify only the client cert and not the entire chain >> when using s_client? >> >> /Sandeep >> >> On Sat, May 28, 2011 at 12:18 AM, Mary Zhang <[email protected]>wrote: >> >>> Ziyu, please see my answers inline. >>> >>> Thanks! >>> >>> Mary >>> >>> 2011/5/27 Ziyu Liu <[email protected]> >>> >>>> >>>> At 2011-05-27 13:27:43,"Mary Zhang" <[email protected]> wrote: >>>> >>>> Thanks, Ziyu. >>>> >>>> >The certificate is ok. >>>> >In fact, openssl s_client using same test cert works fine against >>>> openssl >s_server, and if I put the intermediate CA into my SSL server's ca >>>> file, it >works as well. >>>> >>>> Did you attach the intermediate CA to your client certificate chain >>>> file? >>>> >>>> [Mary] Yeah, client cert file contains the whole chain. >>> >>>> >>>> >So the issue is that my SSL server is not building the cert chain >>>> >correctly to validate against the root ca. >>>> >And I'm not sure whether I missed some call/config to enable the cert >>>> >chain validation. >>>> >>>> There is no specific difference between cert or cert chain. >>>> What verification depth have you set? >>>> Have you set the same CN when generating the root CA and intermediate >>>> CA? >>>> >>>> [Mary] You mean for validation of cert or cert chain, there is no >>> difference in code: same code should work? >>> That's what I expected, but somehow it failed with chain case >>> only. >>> >>>> The verification depth is set to 10 by default (previous other's code), >>>> I may double check that part. >>>> >>>> The root CA and intermediate CA have different CNs. And I used >>> xca to create them. >>> >>> >>>> You can test your server with the certifcates in my attachment. >>>> Structure: >>>> rootcert.pem signs servercert.pem,a intermediate cert which is in the >>>> clientchian.pem >>>> a intermediate cert signs the clientcert.pem. >>>> [Mary] Will try, but my test certs work fine with OpenSSL s_client and >>>> s_server, and so don't think the certs have issue. >>>> >>>> >>> >>>> Thanks! >>>> >>>> Mary >>>> >>>> 2011/5/26 Ziyu Liu <[email protected]> >>>> >>>>> Use the command 'openssl x509 -in serverCA.pem -text -noout' to check >>>>> if your certificate is generated ok.When you are goting to use the >>>>> intermediate CA , you must use X509 v3 extension. >>>>> Check if you have this content: >>>>> * X509v3 extensions: >>>>> X509v3 Basic Constraints: >>>>> CA:TRUE* >>>>> >>>>> >>>>> At 2011-05-27 06:53:04,"Mary Zhang" <[email protected]> wrote: >>>>> >>>>> Hi, >>>>> >>>>> I am using OpenSSL for a SSL server and "openssl s_client" to test it >>>>> with client auth required. >>>>> Self-sigend root cert is used for creating client certs, and the >>>>> self-signed root cert is added to SSL server's trusted ca file. >>>>> >>>>> It works fine when client cert has no chain, but if the client cert is >>>>> created by an intermediate ca which is signed by previous root ca, the SSL >>>>> server failed with unknown ca. >>>>> From the debug trace, looks like s_client sent the whole chain (the >>>>> client cert file contains the private key and the whole chain in PEM >>>>> format). >>>>> >>>>> I've thought that OpenSSL will automatically build the chain based on >>>>> what sent from client, and since the root ca is trusted, and it should >>>>> work. >>>>> Am I wrong? Do I need get the client's cert chain and set to the SSL >>>>> CTX for validation? >>>>> >>>>> BTW, here are the functions used: >>>>> >>>>> SSL_CTX_new(SSLv23_method()); >>>>> >>>>> >>>>> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); >>>>> >>>>> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); >>>>> >>>>> >>>>> SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) >>>>> >>>>> SSL_CTX_use_certificate_chain_file(ctx, cert_fname) >>>>> >>>>> SSL_CTX_use_PrivateKey_file(ctx, cert_fname, SSL_FILETYPE_PEM) >>>>> >>>>> STACK_OF(X509_NAME) *ca_certs = SSL_load_client_CA_file((char >>>>> *)ca_fname); >>>>> >>>>> SSL_CTX_set_client_CA_list(ctx, ca_certs); >>>>> >>>>> >>>>> SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) >>>>> >>>>> >>>>> >>>>> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, >>>>> NULL); >>>>> >>>>> >>>>> SSL_CTX_set_verify_depth(ctx, _verify_depth); >>>>> >>>>> >>>>> Thank you very much! >>>>> >>>>> >>>>> Mary >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>> >> >
