Hello Dr.Stephen, The cmd switches I am using are
OpenSSL> s_client -connect <server name>:443 -state -cert leafcert.pem -key privkey.pem -CAfile nyisobag.pem Loading 'screen' into random state - done Enter PEM pass phrase: 840:error:0906D066:PEM routines:PEM_read_bio:bad end line:.\crypto\pem\pem_lib.c :736: 840:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib:.\c rypto\x509\by_file.c:280: CONNECTED(000002D4) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=1 /C=US/O=NYISO/OU=Market Relations/CN=Certificate Manager verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server certificate request A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client certificate A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write certificate verify A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL3 alert read:fatal:unknown CA SSL_connect:failed in SSLv3 read finished A 840:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:.\ssl\s3_ pkt.c:1052:SSL alert number 48 840:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib. c:226: Yes, the server performs client auth. Also, from a different application, the error I am getting connecting to the same server is ssl_debug(2): Starting handshake (iSaSiLk 3.03)... ssl_debug(2): Sending v3 client_hello message, requesting version 3.1... ssl_debug(2): Received v3 server_hello handshake message. ssl_debug(2): Server selected SSL version 3.1. ssl_debug(2): Server created new session 49:36:D8:53:B2:B4:4B:22... ssl_debug(2): CipherSuite selected by server: SSL_RSA_WITH_RC4_128_SHA ssl_debug(2): CompressionMethod selected by server: NULL ssl_debug(2): Received certificate handshake message with server certificate. ssl_debug(2): Server sent a 1024 bit RSA certificate, chain has 2 elements. validating certificate chain looking in datastore for certificate with DN cn=Certificate Manager,ou=Market Relations,o=NYISO,c=US match found chain length: 2 server verification failed: com.sslpack.security.AXSecurityException: Extension error: certificate at index 0 is marked CA certificate at com.sslpack.security.impl.entrust61.a.verifyChain(X509VerifierImpl.java) at com.sslpack.security.CertChainVerifier.verify(CertChainVerifier.java:349) at com.sslpack.security.CertChainVerifier.completeAndVerifyChain(CertChainVerifier.java:294) at com.sslpack.security.CertChainVerifier.validateAndCompleteChain(CertChainVerifier.java:175) at com.sslpack.security.ssl.DefaultCertificateVerifier.authenticateServer(DefaultCertificateVerifier.java:129) at com.sslpack.security.ssl.ExtendedCertificateVerifier.authenticateServer(ExtendedCertificateVerifier.java:119) Which error is more correct, the above applications or openssls'?. What might be possibly wrong with this server's leaf cert?. Thanks for your help in advance. -neal --- "Dr. Stephen Henson" <[EMAIL PROTECTED]> wrote: > On Tue, Aug 03, 2004, nathv wrote: > > > Hello All, > > > > I am trying to access a server using s_client and > I am > > passing the leaf and self signed CA of the server > > through -CAfile switch, but I am still getting the > > error below, any ideas?. > > > > ..... > > SSL_connect:SSLv3 write certificate verify A > > >>> TLS 1.0 ChangeCipherSpec [length 0001] > > 01 > > SSL_connect:SSLv3 write change cipher spec A > > >>> TLS 1.0 Handshake [length 0010], Finished > > 14 00 00 0c 13 8b 1f 61 ce aa 91 7a b0 48 b2 > e9 > > SSL_connect:SSLv3 write finished A > > SSL_connect:SSLv3 flush data > > <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > > 02 30 > > SSL3 alert read:fatal:unknown CA > > SSL_connect:failed in SSLv3 read finished A > > 912:error:14094418:SSL > routines:SSL3_READ_BYTES:tlsv1 > > alert unknown ca:.\ssl\s3_ > > pkt.c:1052:SSL alert number 48 > > 912:error:140790E5:SSL routines:SSL23_WRITE:ssl > > handshake failure:.\ssl\s23_lib. > > c:226: > > ......... > > > > What other command line options are you using? By > itself the default options > to s_client wont cause an error if the CA is > unknown. > > Does the server expect a client certificate and it > is sending this alert? > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: > see homepage > OpenSSL project core developer and freelance > consultant. > Funding needed! Details on homepage. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __________________________________ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]