On 8/22/07, Marek Marcola <[EMAIL PROTECTED]> wrote: > Hello, > > In the application I'm currently working on which uses OpenSSL via > > Ruby, I seem to be having a problem with the handshake when a client > > connects to my server, though my client to their server works fine. > > >From an ssldump, it appears that my server's certificate request does > > not include any certificate_authority entries. Because of this, the > > client does not send its certificate and the handshake fails. > > > > ssldump examples: > > > > Their server sends a certificate request like this: > > > > 1 4 0.2734 (0.0064) S>C Handshake > > CertificateRequest > > certificate_types rsa_sign > > certificate_types dss_sign > > certificate_authority > > C=US > > O=Equifax > > OU=Equifax Secure Certificate Authority > > certificate_authority > > C=US > > O=Equifax Secure Inc. > > CN=Equifax Secure eBusiness CA-1 > > certificate_authority > > C=US > > O=RSA Data Security, Inc. > > OU=Secure Server Certification Authority > > > > > > My server only sends this: > > > > 2 4 0.1097 (0.0000) S>C Handshake > > CertificateRequest > > certificate_types rsa_sign > > certificate_types dss_sign > > ServerHelloDone > > > > The client requires the certificate_authority information as seen in > > the first example, but I'm not sure what needs to be set to make that > > happen and a list archive search hasn't helped. In the SSL context for > > the connection I set the certificate, key, verify_mode, and ca_path. > > Am I missing something? Where does this certificate_authority > > information come from? > This is optional info and if it is not provided then client may sent > any certificate of specified type (here: RSA or DSS). > Maybe your client does not have key/cert loaded ? > Have you any errors on client or server ? > Try: > $ openssl s_client -connect ip:port -state -msg -debug > $ openssl s_client -connect ip:port -state -msg -debug -cert \ > client_crt.pem -key client_key.pem > Full SSL session ssldump will be helpful too. > > Best regards, > -- > Marek Marcola <[EMAIL PROTECTED]>
Thank you for your reply. I ended up finding it in the SSL docs. I just learned there are lots of docs in with the openssl source...I'd never seen them before! I guess that's what I get for only working with Ruby. I had to set the SSL context's client_ca and now the connection is working. Interesting that it's optional info. Their client will not send a certificate without it. Though it's not the first oddity I've encountered while working with them. This'll just be another item on my "Reasons to not outsource coding" list. Thanks again, Jeremy ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
