Client certificate verification

Thu, 13 Mar 2014 01:27:13 -0700 

Hi,
We are switching to our own CA for in house networking. To test I've used it to sign a server certificate and a client certificate. The subject and issuer output for all three certificates is... 
...CA:
$ openssl x509 -subject -issuer -noout -in gandalf_cacert.pem
subject= /O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB issuer= /O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB 

...server:
$ openssl x509 -subject -issuer -noout -in server5_cert.pem
subject= /C=XX/ST=myState/O=myCompany/CN=server5

issuer= 
/O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB


...client:
$ openssl x509 -subject -issuer -noout -in ecPub.crt

subject= 
/CN=be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a/C=za/emailAddress=a@b.c
issuer= 
/O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB



When I use these certificates with s_client and s_server and force 
client authentication the connection is established but on the server 
output I see three errors:

:
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write certificate request A
SSL_accept:SSLv3 flush data

depth=0 CN = 
be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a, C = 
za, emailAddress = a@b.c

verify error:num=20:unable to get local issuer certificate
verify return:1

depth=0 CN = 
be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a, C = 
za, emailAddress = a@b.c

verify error:num=27:certificate not trusted
verify return:1

depth=0 CN = 
be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a, C = 
za, emailAddress = a@b.c

verify error:num=21:unable to verify the first certificate
verify return:1
SSL_accept:SSLv3 read client certificate A
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read certificate verify A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
:

My server commandline is:

$ openssl s_server -accept 9999 -CAfile gandalf_cacert.pem -cert 
server5_cert.pem -key server5_privkey.pem -Verify 10 -tls1 -state


My client commandline is:

openssl s_client -connect localhost:9999 -CAfile gandalf_cacert.pem 
-cert ecPub.crt -key ecPriv.key -showcerts


QUESTION:

Should I worry about these errors, since it seems that the connection is 
established and the client is authenticated? I just do not understand 
them since I do specify the CA file?


Regards,
LJB


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org














    











					Reply via email to