Hi all, The problem has been solved adding -CAfile to the s_client did the trick.
Thanks alot everyone for the help. -Vishal On Wed, Aug 26, 2009 at 10:59 AM, vishal saraswat < vishalsaraswat...@gmail.com> wrote: > Hi all, > > I am still getting the same error: > 7(Certificate Signature Failure) > > @Sandeep : I am using following commands for server and client > respectively. > > openssl s_server -accept 9000 -cert ~/certs/server.pem > openssl s_client -connect localhost:9000 > > @Goetz - Well, I hope I am doing it. But maybe I dont get your point quite > clearly. This is what I do(names changed) > > $> openssl ca -config openssl.my.cnf -policy policy_anything -out > certs/server.crt -infiles server.csr > > I hope this is enough. But I dont provide any such argument of certificates > at the client end. Do I need to? However initially when I > > encountered this error I created a several certificate for client. Using the > same procedure the way I created the server certificate. > > @Dave : I think you have a same point as Goetz. I think we all are on the > same pitch but something somewhere is definitely wrong. > > I am sorry that I took so much of time to reply. I was writing a small code > to test the same client/server communication. But no good. > > Thank you everyone, > -Vishal > > > > On Thu, Aug 20, 2009 at 7:56 PM, Dave Thompson < > dave.thomp...@princetonpayments.com> wrote: > >> > From: owner-openssl-us...@openssl.org On Behalf Of vishal >> saraswat >> > Sent: Tuesday, 18 August, 2009 07:44 >> >> > I am sorry, I forgot to tell you that the final PEM I create >> > is composed of key and certificate both. >> > cat server_key.pem server server_cert.pem > server.pem >> > I read on some blogs that some server require both to be in one >> file >> >> > that why to be on safer side I started following this practice. I hope >> its >> fine. >> >> It's OK. OpenSSL commandline does not require this, but does allow it. >> >> > Now I suppose that one a client is successfully connected >> > it should return me code as 0 and an OK message. Right? >> > But I get return value as 7(Certificate Signature Failure), >> > 21(Unable to verify the first certificate.) >> >> Signature failure? Not just "unable to get issuer"? >> >> To verify, any client does need to have available the CA cert >> that signed the cert the server uses. In the general case with >> the client on a different machine than the server this must be >> a copy, and thus you need to make sure the right file (version) >> gets copied, but for loopback testing you can use the same file(s). >> >> s_client supports two ways: a single file containing either one CAcert >> or several concatenated, specified with -CAfile; or a directory specified >> by -CApath that contains a file for each CA cert with its filename or >> a symlink to it using the hash of the cert's name, allowing lookup. >> >> In your earlier email s_client specified neither of these and should >> have gotten 20 unable to get local issuer cert (and 21 unable to verify). >> I think the only way you should get signature failure is if >> you give s_client a CAcert which is for the correct CA name >> but has a different public key. Perhaps, if you've tried this >> (sort of) test several times, the file from an earlier iteration. >> >> > p.s. - Can I connect multiple s_client to a single s_server ? >> >> In sequence, but not concurrently. For that you need a real server. <G> >> >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > >
