Kyle Hamilton wrote: > 'no peer certificate available' is a different error than 'peer > certificate did not verify'. This means that the TLS server is > running without a certificate. (TLS and SSL do *not* require servers > to provide certificates, but they do require that servers must provide > certificates before they ask for client authentication, else it's a > protocol error.) > > -Kyle H >
Thank you for this essential information! Good to know. Am I right to believe this has to do with SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, verify_cert_foo ); /vs./ SSL_CTX_set_verify( ctx, SSL_VERIFY_NONE, verify_cert_foo ); ? In between I added /Zi to CFLAGS (as Mounir said, .\util\pl\VC-32.pl is the right place) and after this I rebuild the whole OpenSSL 1.0.0 suite again. This made me able to step into SSL_* and to figure out where I used wrong directory names. **One more question:** Is it still a good idea to use: ctx = SSL_CTX_new( SSLv23_method() ) combined with SSL_CTX_set_options( ctx, (SSL_OP_NO_SSLv2 | SSL_OP_ALL) ); to get SSLv3 + TLSv1 on, but SSLv2=off? This is often shown for OpenSSL 0.9.x in the books and I used it. Actually, I get: *openssl.exe s_client -debug -state -connect 192.168.0.192:21 * Loading 'screen' into random state -CONNECTED(00000774) write to 0xa626a0 [0xa62700] (124 bytes => 124 (0x7C)) 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../....... 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................ 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@......... 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 91 a5 45 62 ..............Eb 0060 - 1d cb 55 d0 62 e2 95 b6-4f 41 fe 3c e4 c5 43 d1 ..U.b...OA.<..C. 0070 - 32 d6 04 aa 06 c1 35 00-22 75 3e 09 2.....5."u>. read from 0xa626a0 [0xa67c60] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 28 ......( done SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:handshake failure SSL_connect:error in SSLv2/v3 read server hello A 5044:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:.\ssl\s23_clnt.c:596: May I forgot to set accept/connect direction of SLL, before calling BIO_do_handshake(bio)? (pls. note: bio is a chain of buffer + ssl + accept_socket, where buffer + accept_socket already up and running fine). I did read somewhere some command to set ssl direction, but I don't remember it! SSL_state_server/accept() or such? And this is what makes me some more headache. But it's pretty late now and this noon I tried a very good red wine together with my wife, so I think I'll delay further investigations till tomorrow. May be the headache is from the wine? Anyway. If you think my above dump is easy to give next hint for me ... this would be very kindly, again! have a silent night, Modem Man