>From: [email protected] On Behalf Of al so
>Sent: Monday, 04 June, 2012 14:48
>Does it look for client cert chain by default in the home dir?
>Looks like it's due to mutual authentication setup?
s_client looks for client-auth key&cert only where you tell it
using the commandline options -cert and/or -key. Use those.
s_client for client-auth (which is rare), like s_server for
server-auth (which is common), can >send< only a single cert,
not a full chain. If your client cert requires an intermediate
below the trust anchor(s) on the server, it won't work.
(Both s_client and s_server can >receive< a full chain.)
You can write a simple app using OpenSSL lib to send a chain,
but since IIRC your actual goal is to get Java SOAP to work,
you might be better off writing an even simpler Java app which
connects SSL with the desired trust and auth, and disconnects
without doing anything. If you use an explicit SSLContext
and {Key,Trust}ManagerFactory, this is about 20 lines.
If you change the defaults in your JRE -- or have already
done so for the SOAP stuff -- it's about 5 lines.
>On Mon, Jun 4, 2012 at 4:24 AM, Eisenacher, Patrick
<[email protected]> wrote:
> > From: al so
> > openssl s_client -showcerts -connect <TP.COM>:443
> > CONNECTED(00000003)
> > depth=1 <snip>OU=VeriSign International Server CA - Class 3<snip>
> > verify error:num=20:unable to get local issuer certificate
> > verify return:0
Aside: this appears to be
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=c
ontent&actp=CROSSLINK&id=AR1514 which should verify under
Verisign's Class 3 Public Primary Certification Authority .
s_client looks for truststore using either -CAfile and/or -CApath options,
or the OpenSSL library default which depends on the build you are using.
To fix this, add the verisign class3 root to your default truststore,
or create (or find) a truststore containing it and specify that.
However, unlike most clients (including probably Java SOAP)
s_client ignores the verify error and proceeds to:
> > 16747:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
certificate:s3_pkt.c:1093:SSL alert number 42
> > 16747:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
> The error tells you that the server doesn't like your client cert
chain. As such,
>it sends a bad certificate alert. You should check the server's log for any
details.
In this case the server rejected s_client's lack of any cert (chain).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
