I tried using the openssl s_server . I got the same errors on bothe
ends.
Here is the output I get on the server side "
Using default temp DH parameters
Enter PEM pass phrase:
ACCEPT
read from 00158A88 [001630E8] (11 bytes => 11 (0xB))
0000 - 16 03 00 00 37 01 00 00-33 03 ....7...3.
000b - <SPACES/NULS>
read from 00158A88 [001630F3] (49 bytes => 49 (0x31))
0000 - 3e 8b d4 53 ef d9 ea c8-f0 6d 97 98 f7 1d e4 51
>..S.....m.....Q
0010 - 9d 98 52 f4 41 a5 ca 11-0e d9 c9 57 70 d4 56 55
..R.A......Wp.VU
0020 - 00 00 0c 00 0a 00 05 00-04 00 09 00 03 00 08 01
................
0031 - <SPACES/NULS>
write to 00158A88 [0016C108] (79 bytes => 79 (0x4F))
0000 - 16 03 00 00 4a 02 00 00-46 03 00 3e 8b d4 20 f7 ....J...F..>..
.
0010 - 3b 8a 2e 1f b8 8d a7 2e-dd 4a 50 51 77 10 7a aa
;........JPQw.z.
0020 - f4 16 b1 b4 e5 b4 86 7a-f2 56 9c 20 83 78 43 f3 .......z.V.
.xC.
0030 - c5 84 7f 7b 32 44 d1 7a-64 3e d3 b0 0b 84 92 34
...{2D.zd>.....4
0040 - 2b fb 5b 40 2c 24 3a 45-ba 37 c1 b3 00 0a +.[@,$:E.7....
004f - <SPACES/NULS>
write to 00158A88 [0016C108] (640 bytes => 640 (0x280))
0000 - 16 03 00 02 7b 0b 00 02-77 00 02 74 00 02 71 30
....{...w..t..q0
0010 - 82 02 6d 30 82 01 d6 a0-03 02 01 02 02 02 00 d7
..m0............
0020 - 30 0d 06 09 2a 86 48 86-f7 0d 01 01 04 05 00 30
0...*.H........0
0030 - 81 93 31 0b 30 09 06 03-55 04 06 13 02 55 53 31
..1.0...U....US1
0040 - 13 30 11 06 03 55 04 08-13 0a 43 61 6c 69 66 6f
.0...U....Califo
0050 - 72 6e 69 61 31 11 30 0f-06 03 55 04 07 13 08 4d
rnia1.0...U....M
0060 - 69 6c 70 69 74 61 73 31-21 30 1f 06 03 55 04 0a
ilpitas1!0...U..
0070 - 13 18 47 52 49 43 20 43-6f 6d 6d 75 6e 69 63 61 ..GRIC
Communica
0080 - 74 69 6f 6e 73 20 49 6e-63 2e 31 16 30 14 06 03 tions
Inc.1.0...
0090 - 55 04 0b 13 0d 47 52 49-43 20 43 41 20 41 64 6d U....GRIC CA
Adm
00a0 - 69 6e 31 21 30 1f 06 03-55 04 03 13 18 47 52 49
in1!0...U....GRI
00b0 - 43 20 43 65 72 74 69 66-69 63 61 74 65 20 4d 61 C Certificate
Ma
00c0 - 6e 61 67 65 72 30 1e 17-0d 30 32 30 36 32 38 30
nager0...0206280
00d0 - 35 34 33 31 36 5a 17 0d-30 34 30 36 32 37 30 35
54316Z..04062705
00e0 - 34 33 31 36 5a 30 60 31-0b 30 09 06 03 55 04 06
4316Z0`1.0...U..
00f0 - 13 02 55 53 31 0b 30 09-06 03 55 04 08 13 02 43
..US1.0...U....C
0100 - 41 31 11 30 0f 06 03 55-04 07 13 08 4d 69 6c 70
A1.0...U....Milp
0110 - 69 74 61 73 31 10 30 0e-06 03 55 04 0b 13 07 73
itas1.0...U....s
0120 - 75 70 70 6f 72 74 31 0d-30 0b 06 03 55 04 0a 13
upport1.0...U...
0130 - 04 47 52 49 43 31 10 30-0e 06 03 55 04 03 13 07
.GRIC1.0...U....
0140 - 73 75 70 70 6f 72 74 30-5c 30 0d 06 09 2a 86 48
support0\0...*.H
0150 - 86 f7 0d 01 01 01 05 00-03 4b 00 30 48 02 41 00
.........K.0H.A.
0160 - be d4 36 8f fc 23 9f e0-98 77 0e 2a b0 7a ee 91
..6..#...w.*.z..
0170 - d7 e7 d2 0a 55 32 6e 84-fe 4b e6 d2 1d ff c5 0a
....U2n..K......
0180 - d6 19 5e e5 d2 a8 04 6a-54 38 86 cb 85 c7 24 1a
..^....jT8....$.
0190 - 89 dc da 11 95 fe dd ca-fa ee 1e 9d 04 98 3d a1
..............=.
01a0 - 02 03 01 00 01 a3 46 30-44 30 11 06 09 60 86 48
......F0D0...`.H
01b0 - 01 86 f8 42 01 01 04 04-03 02 06 40 30 0e 06 03
[EMAIL PROTECTED]
01c0 - 55 1d 0f 01 01 ff 04 04-03 02 04 f0 30 1f 06 03
U...........0...
01d0 - 55 1d 23 04 18 30 16 80-14 8e da c8 3b d7 7a 34
U.#..0......;.z4
01e0 - a7 e9 3a a1 a1 5d b7 3b-b3 25 bf cf 42 30 0d 06
..:..].;.%..B0..
01f0 - 09 2a 86 48 86 f7 0d 01-01 04 05 00 03 81 81 00
.*.H............
0200 - 63 60 50 92 ef ba a0 ac-79 9a 45 32 cf a9 d9 d7
c`P.....y.E2....
0210 - 17 b4 33 87 75 01 6f 84-1c d6 39 af 5b df 77 96
..3.u.o...9.[.w.
0220 - 00 b6 a9 c2 c2 e8 8a a1-fa e5 a0 61 78 fd d5 7b
...........ax..{
0230 - 03 85 c0 f1 bc 9e b0 14-7f 8f 50 64 82 34 cc f1
..........Pd.4..
0240 - fc 3a 49 00 59 74 e9 61-7a 29 a1 06 12 43 a7 fa
.:I.Yt.az)...C..
0250 - 94 38 50 91 ed be 4c 4f-fa a7 c7 96 13 0b 03 21
.8P...LO.......!
0260 - 6b 08 be c8 7b bd 80 c0-07 a7 86 8a 04 a6 ea cb
k...{...........
0270 - 04 b9 8b 53 39 c8 c9 36-80 a0 cc 2f ae 07 98 99
...S9..6.../....
write to 00158A88 [0016C108] (9 bytes => 9 (0x9))
0000 - 16 03 00 00 04 0e ......
0009 - <SPACES/NULS>
read from 00158A88 [001630E8] (5 bytes => 5 (0x5))
0000 - 15 03 00 00 02 .....
read from 00158A88 [001630ED] (2 bytes => 2 (0x2))
0000 - 02 .
0002 - <SPACES/NULS>
ERROR
1626:error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:985:SSL alert number 0
1626:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
shutting down SSL
CONNECTION CLOSED
ACCEPT
"
Please tell me what can I do now?
Thank you,
Avinash
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dr. Stephen Henson
Sent: Tuesday, April 01, 2003 6:29 PM
To: [EMAIL PROTECTED]
Subject: Re: openssl libs vs RSA libs problem
On Tue, Apr 01, 2003, Avinash Agarwal wrote:
> Hello all,
>
>
>
> I have a server implemented using openssl libs and a client which is
> implemented using RSA libs.
>
>
>
> The handshake is failing and I get the following errors
>
>
>
> on the client :
>
> “
>
> - Certificate chain didn't validate: Incomplete certificate
>
> - CA is Unknown CA
>
> SSL: Certificate validate failed -- Incomplete certificate
>
> SSL: Hand shaking failed -- Incomplete certificate.
>
> SSL: Client closing SSL connection
>
> “
>
>
>
> on the server:
>
> “
>
> 1653:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:985:SSL alert number 0
>
> “
>
>
>
> I also have another client implemented using openssl libs and the
> handshake happens fine with the server.
>
>
>
> The point where its failing is where the client (with RSA libs) does a
> check for verifying the cert chain.
>
> Its complains that its unable to get the CA-cert.
>
>
>
> Could anyone give me pointers on what could be the problem .. is there
> some incompatibility between the two libs ?
>
>
>
It looks like the client can't verify the servers certificate chain.
If there are any intermediate certificates in the chain then the server
should
send those: you can use the s_client utility with -showcerts to see what
it is
sending.
Also the client needs to trust the servers root CA if it doesn't
already.
You'll have to check whatever documentation comes with the client to see
how
to do that.
Steve.
--
Dr Stephen N. Henson.
Core developer of the OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED], PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
