I was too hasty posting that last message. I thought I had started from scratch, but it looks like my cacert.pem was out of sync with my signed certs (I had created demoCA several times). I just rebuilt the whole thing and now s_client has no errors, but s_server still reports "SSL3 alert read:warning:no certificate". I'm rebuilding the third party environment now to see if that changes anything. Will post again if I still have problems. Sorry, Ed -----Original Message----- From: Trembicki-Guy, Ed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 19, 1999 12:00 PM To: [EMAIL PROTECTED] Subject: Please Help: Newbie trying to understand cacert Help! Am I missing something? The openssl utilities, s_server and s_client seem to work (with some errors reported), but the third party app that I'm trying to use that wraps the libraries still fails. I built openssl-0.9.4 on HPUX 11 with -DNO_RSA. The directory structure is /dnbusr1/guye/ssl/openssl-0.9.4/{etc.} >From the directory, /dnbusr1/guye/ssl/openssl-0.9.4/apps/, I followed the instructions for creating a DSA CA, DSA parameters, DSA server & client certs, and DH parameters as follows: openssl gendh -out dhparam.pem 1024 openssl dsaparam 1024 -out dsa1024.pem openssl req -x509 -newkey dsa:dsa1024.pem -out dsaca.pem CA.sh -newca cp privkey.pem demoCA/private/cakey.pem cp dsaca.pem demoCA/cacert.pem openssl req -newkey dsa:dsa1024.pem -out newreq.pem CA.sh -signreq cat dhparam.pem newcert.pem privkey.pem > server.pem openssl req -newkey dsa:dsa1024.pem -out newreq.pem CA.sh -signreq cat dhparam.pem newcert.pem privkey.pem > client.pem cp client.pem ../server.pem The last four command were to create a server.pem in a separate directory for the s_client utility. I ran the s_server and s_client utilities as follows: openssl 2>&1 | tee server.log OpenSSL> s_server -state -debug -verify 1 -CApath demoCA -CAfile cacert.pem and openssl 2>&1 | tee client.log OpenSSL> s_client -state -debug -verify 1 -CApath apps/demoCA -CAfile apps/demoCA/cacert.pem I have attached server.log and client.log files, which show some complaints about no certificate (server log) and unable to get local issuer and verify first certificate (client.log). The utilities still proceed to the point where what I type at the client is sent to the server and vice versa. When I try the same thing with the third party app, I get a connection failure. With the limited logging support that it has (similar to the -state flag), I get the following: Server: Failed Connection Attempt SSL: 0 24576 HANDSHAKE_START SSL: ACCEPT 24576 ACCEPT_LOOP SSL: ACCEPT SSL3_SR_CLNT_HELLO_A ACCEPT_LOOP SSL: ACCEPT SSL3_SW_SRVR_HELLO_A ACCEPT_LOOP SSL: ACCEPT SSL3_SW_CERT_A ACCEPT_LOOP SSL: ACCEPT SSL3_SW_KEY_EXCH_A ACCEPT_LOOP SSL: ACCEPT SSL3_SW_SRVR_DONE_A ACCEPT_LOOP SSL: ACCEPT SSL3_SW_FLUSH ACCEPT_EXIT Client: Connect Error: -1 SSL: 0 20480 HANDSHAKE_START SSL: CONNECT 20480 CONNECT_LOOP SSL: CONNECT SSL3_CW_CLNT_HELLO_A CONNECT_LOOP SSL: CONNECT SSL3_CR_SRVR_HELLO_A CONNECT_EXIT I believe the number 24576 (0x6000) equates to BEFORE|ACCEPT and 20480 (0x5000) equates to BEFORE|CONNECT. I have also attached cacert.pem, server.pem and client.pem. Can someone please tell me if I've done something wrong? I thought maybe it has something to do with cacert.pem, because when I try to load it in the third party app* it returns an error structure with the following: #PEM 109 108 #X509 112 9 which I believe translates to 109 = PEM_F_PEM_READ_BIO 108 = PEM_R_NO_START_LINE and 112 = X509_F_X509_LOAD_CRL_FILE 9 = ??? *the app appears to call the following library routines: X509_LOOKUP_file(), X509_STORE_add_lookup() and X509_LOOKUP_ctrl, which returns 0, at which point I retrieve the error structure. I'm not even sure if this is what is preventing the connection, but any help at all is most appreciated. Thanks, Ed Trembicki-Guy p.s. The attached files are in PC format (cr/lf) as I ftp'ed them from the Unix machine in ascii mode. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]