Hi,
We are switching to our own CA for in house networking. To test I've
used it to sign a server certificate and a client certificate. The
subject and issuer output for all three certificates is...
...CA:
$ openssl x509 -subject -issuer -noout -in gandalf_cacert.pem
subject=
/O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB
issuer=
/O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB
...server:
$ openssl x509 -subject -issuer -noout -in server5_cert.pem
subject= /C=XX/ST=myState/O=myCompany/CN=server5
issuer=
/O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB
...client:
$ openssl x509 -subject -issuer -noout -in ecPub.crt
subject=
/CN=be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a/C=za/emailAddress=a@b.c
issuer=
/O=myCompany/emailAddress=em...@mydomain.net/L=myCity/ST=myState/C=XX/CN=LJB
When I use these certificates with s_client and s_server and force
client authentication the connection is established but on the server
output I see three errors:
:
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write certificate request A
SSL_accept:SSLv3 flush data
depth=0 CN =
be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a, C =
za, emailAddress = a@b.c
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN =
be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a, C =
za, emailAddress = a@b.c
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN =
be2576a357228b303189ab62bd2497807d2276493ddfc6fd037a0c8fc6e9ac9a, C =
za, emailAddress = a@b.c
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_accept:SSLv3 read client certificate A
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read certificate verify A
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write session ticket A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
:
My server commandline is:
$ openssl s_server -accept 9999 -CAfile gandalf_cacert.pem -cert
server5_cert.pem -key server5_privkey.pem -Verify 10 -tls1 -state
My client commandline is:
openssl s_client -connect localhost:9999 -CAfile gandalf_cacert.pem
-cert ecPub.crt -key ecPriv.key -showcerts
QUESTION:
Should I worry about these errors, since it seems that the connection is
established and the client is authenticated? I just do not understand
them since I do specify the CA file?
Regards,
LJB
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org