Hi. When using the net_ssl_test script I get this error:
== FAILED TO CONNECT == Error: SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed at In one test case it seems to work; in the other it fails. I'm not sure where I went wrong. The details of what I've done are below. SECTION 1 - shows the openssl commands I used to parse the PCKS12 file. SECTION 2 - shows the script and output that runs well SECTION 3 - shows the script and output that fails SECTION 4 - shows my environment I am behind a firewall, but we dont use a proxy. I'd greatly appreciate any help. Thanks, John - SECTION 1 ---------------------------- I created my files like this: pkcs12 -in dt.pfx -cacerts -nodes -nokeys -out dt_ca.crt Enter Import Password: MAC verified OK pkcs12 -in dt.pfx -clcerts -nodes -nokeys -out dt_cl.crt Enter Import Password: MAC verified OK pkcs12 -in dt.pfx -nocerts -nodes -out dt.key Enter Import Password: MAC verified OK I tested the cert files with these commands: x509 -in dt_ca.crt -noout -text x509 -in dt_cl.crt -noout -text rsa -in dt.key -noout -text and they seemed to pass. - SECTION 2 ---------------------------- When I run this (HTTPS_CA* are commented out): #!/usr/bin/ksh #export HTTPS_CA_FILE='./dt_ca.crt'; #export HTTPS_CA_DIR='.'; export HOST='https://www.nwoasis.org'; ./net_ssl_test -cert=./dt_cl.crt -key=./dt.key -d GET $HOST I get this output (which I think looks ok): ieh1: dt_test.ksh SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A WEB SITE: www.nwoasis.org:443 CIPHER: RC4-MD5 THIS IS: /C=US/O=BONNEVILLE POWER ADMINISTRATION/OU=BONNEVILLE POWER ADMINISTRATION/CN=www.nwoasis.org CERTIFIED BY: /C=US/O=Digital Signature Trust Co./OU=TrustID Server/CN=TrustID Server CA A5 SSL_connect:SSL renegotiate ciphers SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: https://206.137.58.66/index.html Date: Wed, 05 Jun 2002 22:48:21 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 16 Nov 1999 22:18:40 GMT ETag: "8de44898030bf1:311f5" Content-Length: 1038 ... - SECTION 3 ---------------------------- When I add in the HTTPS_CA variables and run this: #!/usr/bin/ksh export HTTPS_CA_FILE='./dt_ca.crt'; export HTTPS_CA_DIR='.'; export HOST='https://www.nwoasis.org'; ./net_ssl_test -cert=./dt_cl.crt -key=./dt.key -d GET $HOST I get this output (which looks bad): ieh1: digi_test.ksh SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL3 alert write:fatal:unknown SSL_connect:error in SSLv3 read server certificate B SSL_connect:error in SSLv3 read server certificate B SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL3 alert write:fatal:bad certificate SSL_connect:error in SSLv3 read server certificate B SSL_connect:before/connect initialization SSL_connect:SSLv2 write client hello A SSL_connect:error in SSLv2 read server hello B == FAILED TO CONNECT == Error: SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed at /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 215. ; at /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 146. If you need to use a proxy, please pass it in as an argument like ./net_ssl_test -p 127.0.0.1:8080 which sets $ENV{HTTPS_PROXY} for you. - SECTION 4 ---------------------------- Environment: Perl v5.6.1 Solaris 8 Crypt-SSLeay-0.37 OpenSSL 0.9.6 24 Sep 2000 ----------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]