On Nov 8, 2012, at 2:41 AM, Carl Young <carlyo...@keycomm.co.uk> wrote:
> Sorry for top-posting - still getting used to this webmail: > > The only way I can see that the server is "reponsible" for this behaviour is > the certificate you are providing. Has that expired or been invalidated in > any way at the client? I got a more detailed error message from the client-side and it turns out I misunderstood which certificate was required for this particular application. The certificate I've been using is only valid as a client certificate, not server. I was even more confused because the previous certificate I had successfully used with this server was also client only - an undocumented change in the client-side code, I guess. Thanks for the help. I hadn't even considered that the client would just close the connection instead of signaling an error, but I guess that improves security. So much to learn, but now I know more about openssl s_client. Jeremy > Carl > > From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on > behalf of Jeremy Bratton [yer...@gmail.com] > Sent: 08 November 2012 04:58 > To: openssl-users@openssl.org > Subject: Re: Getting "OpenSSL: Exit: error in SSLv3 read client certificate > A" when client connects > > > I now have an ssldump of an incoming connection. I think it shows the client > is closing the connection before the handshake is even complete. Is there any > way the server is responsible for this behavior? Thanks. > > > New TCP connection #4: xxxxx.com(12900) <-> a.b.c.d(443) > 4 1 0.0362 (0.0362) C>S Handshake > ClientHello > Version 3.1 > cipher suites > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_DES_CBC_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > compression methods > NULL > 4 2 0.0365 (0.0003) S>C Handshake > ServerHello > Version 3.1 > session_id[32]= > 4c 37 df 98 4e c2 6d 26 28 23 67 4e ab 79 fd 4d > f7 a8 e0 7e d8 47 37 38 c8 cc 06 db 43 f1 e3 a0 > cipherSuite TLS_RSA_WITH_RC4_128_MD5 > compressionMethod NULL > 4 3 0.0365 (0.0000) S>C Handshake > Certificate > 4 4 0.0365 (0.0000) S>C Handshake > ServerHelloDone > 4 0.0600 (0.0234) C>S TCP FIN > 4 0.0602 (0.0002) S>C TCP FIN > > > > On Tue, Nov 6, 2012 at 8:35 AM, Jeremy Bratton <yer...@gmail.com> wrote: > > I'm using OpenSSL 0.9.8o 01 Jun 2010 on Debian 6.0.2. Client verification is > disabled. > > > I've written a SOAP server app that uses SSL. The only client that connects > to it is completely out of my control. Though there have been no changes on > either end that I'm aware of, the client is no longer able to connect to the > server. I can see from the error message that something is going wrong during > the SSL handshake, but I have no idea what (the actual server uses ruby & > soap4r). I'm just getting the error message "SSL_accept SYSCALL returned=5 > errno=0 state=SSLv3 read client certificate A" > > > I set up apache on the server and was able to get a more detailed error > message which is at http://pastebin.com/vvnLi9BQ > > > Basically, it seems like the client is sending an EOF before the handshake is > complete, but I've been assured that the client is working just as it's > always been. Also this client connects to several other companies' servers > and I believe they're all still working correctly. I'm pretty sure the client > is written in Java in case that matters. > > > I can connect to the server with a browser just fine. > > > Is this a common issue? Any suggestions for a fix or work-around? A web > search hasn't turned up much of anything. > > > Thanks, > Jeremy______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
