We're porting some (previously) working code from an ancient version of ssleay to openssl 0.9.6b (HPUX).
We're having a problem (apparently) with the server-side of a client-server application, both ends using openssl 0.9.6b. We're using locally generated certificates (Entrust PKI) for both the client and server, which according to openssl "verify" are only given the purpose of "server". One Verisign server cert we played with appears to not have a purpose set, or at least permit both sslclient and sslserver. The client side doesn't have any trouble with talking to web servers (in particular, Stronghold 2.2) with the Entrust certs, and the web server is successfully able to retrieve the client cert. Tho, 2.2 of course uses ssleay internally. Yeah, once this mess is over, we're going to upgrade to Stronghold 3. When we use our client with a verisign-signed server cert, our server side successfully verifies. When we use "openssl s_client" (or our client) with our entrust cert, our server spits out: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned When we use openssl s_client we get: 29776:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:964:SSL alert number 46 29776:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:490: when running "openssl verify" with our root_certs, "-purpose sslclient" returns: error 26 at 0 depth lookup:unsupported certificate purpose OK Whereas with "-purpose sslserver" returns just "OK". I _assume_ this has something to do with the "purpose". openssl's code _apepars_ to verify that the cert has the right "purpose". Right? Our SSL_CTX_set_verify call has "SSL_VERIFY_PEER" and "SSL_VERIFY_FAIL_IF_NO_PEER_CERT". [I get confused around here, because I can't see anything that implies it would generate a "no certificate returned" message. If "purpose" was the real problem, wouldn't it say something more specific?] For various (mostly political) reasons, we can't [re]generate the certs we use with "sslclient". Do we need to resort to a verify callback to permit an 0.9.6b server to accept server certs from the client? Or is something else going wrong? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
