Re: unsupported certificate alert

Lutz Jaenicke Fri, 27 Apr 2001 02:17:40 -0700
On Thu, Apr 26, 2001 at 03:02:35PM -0400, George Lind wrote:
> I am having a problem with the server I wrote, which is doing client
> authentication. The server is getting the following error on the
> SSL_accept() call:
> 140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned.
> According to my tracing both the client and the server are presenting their
> certificates. The server is sending back the following to the client:
> 15 03 00 00 02 02 2e which I believe is an unsupported certificate alert.
> Both my client and server are using certificates issued by thawte.  They
> both have thawte as their trusted certificate authority.

The error message on the server is generated in s3_srvr.c:
                i=ssl_verify_cert_chain(s,sk);
                if (!i)
                        {
                        al=ssl_verify_alarm_type(s->verify_result);
                        SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIF
ICATE_RETURNED);
                        goto f_err;
                        }

Therefore this error is listed, when the verification of the certificate
failed for whatever reason. You can use the verify_callback() to check
out the reason in detail and override the decision (if verify_callback()
returns "0" for any test, the situation you describe will occur).
Check out the manual page for SSL_CTX_set_verify() and/or the examples
in s_cb.c on how to use verify_callback().
According to s3_srvr.c, SSL_AD_UNSUPPORTED_CERTIFICATE is the default
error message sent when no other reason applies, so you have to use
verify_callback() to find out what is going on.

Hint: use s_server and/or s_client with the certificates you have. They
have a quite narrative verify_callback() built in, so you can easily
check your certificates. Of course, openssl "verify" may also be helpful.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: unsupported certificate alert

Reply via email to
