On Thu, Apr 26, 2001 at 03:02:35PM -0400, George Lind wrote:
> I am having a problem with the server I wrote, which is doing client
> authentication. The server is getting the following error on the
> SSL_accept() call:
> 140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned.
> According to my tracing both the client and the server are presenting their
> certificates. The server is sending back the following to the client:
> 15 03 00 00 02 02 2e which I believe is an unsupported certificate alert.
> Both my client and server are using certificates issued by thawte. They
> both have thawte as their trusted certificate authority.
The error message on the server is generated in s3_srvr.c:
i=ssl_verify_cert_chain(s,sk);
if (!i)
{
al=ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIF
ICATE_RETURNED);
goto f_err;
}
Therefore this error is listed, when the verification of the certificate
failed for whatever reason. You can use the verify_callback() to check
out the reason in detail and override the decision (if verify_callback()
returns "0" for any test, the situation you describe will occur).
Check out the manual page for SSL_CTX_set_verify() and/or the examples
in s_cb.c on how to use verify_callback().
According to s3_srvr.c, SSL_AD_UNSUPPORTED_CERTIFICATE is the default
error message sent when no other reason applies, so you have to use
verify_callback() to find out what is going on.
Hint: use s_server and/or s_client with the certificates you have. They
have a quite narrative verify_callback() built in, so you can easily
check your certificates. Of course, openssl "verify" may also be helpful.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]