Re: getting SSL_ERROR_ZERO_RETURN when calling operation from WSDL using axis2c
On 2/3/2012 6:13 AM, manoj dhyani wrote: I am using the following WSDL https://nestlepreview.i-nexus.com/nestlepreview/webservices/v1/nexus.wsdl and trying to get data using the operations from the WSDL, the webservice client is written in C using Axis2/c 1.5 with openSSL enabled openSSL version 0.0.8l That doesn't look like a real OpenSSL version number, please double check. the certificated is verified and instead of getting a response axis2c throws a timeout error on debugging axis2/c the SSL_read() call is failing with error SSL_ERROR_XERO_RETURN This *could* be a result of stopping your program in the debugger affecting the actual socket send/recv calls in a way not expected by OpenSSL and/or Axis2. So try running your test program outside the debugger. The same WSDL if used in SoapUI works fine or with any other Java based clients Sounds like the server is OK then. any idea how to debug this issue ? is this a server side problem or client, if other client works I am not sure if it's server side issue or network issue __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
R: Unable to verify a RSA SHA512 signature maded from CLI from a C source code.
Have you miss the OpenSSL_add_all_algorithms() initialization? Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Roberto Martelloni Inviato: venerdì 3 febbraio 2012 12:31 A: openssl-users@openssl.org Oggetto: Unable to verify a RSA SHA512 signature maded from CLI from a C source code. Hello to all, I can't verify a signature from a C code but maded with openssl command line . Anyone can give me some hints ? I create my RSA key pair with this command: /usr/bin/openssl genrsa -out RSA-1024.key 1024 /usr/bin/openssl rsa -in RSA-1024.key -pubout RSA-1024-public.key I made the signature with: /usr/bin/openssl dgst -binary -sha512 -sign RSA-1024.key -out serial.SHA512.asc serial.SHA512 If I verify it from CLI all work /usr/bin/openssl dgst -sha512 -verify RSA-1024-public.key -signature serial.txt.SHA512.asc serial.txt.SHA512 Verified OK But when I try to check it from source code all get wrong. Here the code http://nopaste.info/da38ec303b.html What is wrong ? thank you ! R. -- Roberto Martelloni __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: R: Unable to verify a RSA SHA512 signature maded from CLI from a C source code.
On Fri, Feb 03, 2012, francesco.petru...@innovery.it wrote: Have you miss the OpenSSL_add_all_algorithms() initialization? Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Roberto Martelloni Inviato: venerdì 3 febbraio 2012 12:31 A: openssl-users@openssl.org Oggetto: Unable to verify a RSA SHA512 signature maded from CLI from a C source code. Hello to all, I can't verify a signature from a C code but maded with openssl command line . Anyone can give me some hints ? I create my RSA key pair with this command: /usr/bin/openssl genrsa -out RSA-1024.key 1024 /usr/bin/openssl rsa -in RSA-1024.key -pubout RSA-1024-public.key I made the signature with: /usr/bin/openssl dgst -binary -sha512 -sign RSA-1024.key -out serial.SHA512.asc serial.SHA512 If I verify it from CLI all work /usr/bin/openssl dgst -sha512 -verify RSA-1024-public.key -signature serial.txt.SHA512.asc serial.txt.SHA512 Verified OK But when I try to check it from source code all get wrong. Here the code http://nopaste.info/da38ec303b.html What is wrong ? The OP is doing two things wrong.. 1. Posting in HTML and 2. If you call RSA_verify() it expects the digest of the data and not the data itself. You can digest and verify using EVP_Verify*() functions, see manual pages and examples. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: R: Unable to verify a RSA SHA512 signature maded from CLI from a C source code.
I've tried again to hash the already hashed data, but no way to verify it, code here: http://pastie.org/3309525 I can't understand what is wrong now, where I can find some guide or documentation ? Thanks ! On 02/03/2012 03:26 PM, Dr. Stephen Henson wrote: On Fri, Feb 03, 2012, francesco.petru...@innovery.it wrote: Have you miss the OpenSSL_add_all_algorithms() initialization? Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Roberto Martelloni Inviato: venerdì 3 febbraio 2012 12:31 A: openssl-users@openssl.org Oggetto: Unable to verify a RSA SHA512 signature maded from CLI from a C source code. Hello to all, I can't verify a signature from a C code but maded with openssl command line . Anyone can give me some hints ? I create my RSA key pair with this command: /usr/bin/openssl genrsa -out RSA-1024.key 1024 /usr/bin/openssl rsa -in RSA-1024.key -pubout RSA-1024-public.key I made the signature with: /usr/bin/openssl dgst -binary -sha512 -sign RSA-1024.key -out serial.SHA512.asc serial.SHA512 If I verify it from CLI all work /usr/bin/openssl dgst -sha512 -verify RSA-1024-public.key -signature serial.txt.SHA512.asc serial.txt.SHA512 Verified OK But when I try to check it from source code all get wrong. Here the code http://nopaste.info/da38ec303b.html What is wrong ? The OP is doing two things wrong.. 1. Posting in HTML and 2. If you call RSA_verify() it expects the digest of the data and not the data itself. You can digest and verify using EVP_Verify*() functions, see manual pages and examples. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org -- Roberto Martelloni __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: R: Unable to verify a RSA SHA512 signature maded from CLI from a C source code.
No, I've omitted all other calls, for safeness I call all OpenSSL_add_all OpenSSL_add_all_algorithms(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); R. On 02/03/2012 03:10 PM, francesco.petru...@innovery.it wrote: Have you miss the OpenSSL_add_all_algorithms() initialization? Da: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] Per conto di Roberto Martelloni Inviato: venerd 3 febbraio 2012 12:31 A: openssl-users@openssl.org Oggetto: Unable to verify a RSA SHA512 signature maded from CLI from a C source code. Hello to all, I can't verify a signature from a C code but maded with openssl command line . Anyone can give me some hints ? I create my RSA key pair with this command: /usr/bin/openssl genrsa -out RSA-1024.key 1024 /usr/bin/openssl rsa -in RSA-1024.key -pubout RSA-1024-public.key I made the signature with: /usr/bin/openssl dgst -binary -sha512 -sign RSA-1024.key -out serial.SHA512.asc serial.SHA512 If I verify it from CLI all work /usr/bin/openssl dgst -sha512 -verify RSA-1024-public.key -signature serial.txt.SHA512.asc serial.txt.SHA512 Verified OK But when I try to check it from source code all get wrong. Here the code http://nopaste.info/da38ec303b.html What is wrong ? thank you ! R. -- Roberto Martelloni __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- Roberto Martelloni __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
AES-CCM mode in 1.0.1-beta2
Looking at OpenSSL_add_all_ciphers() in crypto/evp/c_allc.c, AES-CCM mode is not in the list of ciphers added. Has this cipher intentionally been omitted, or is this a bug? attachment: foleyj.vcf
RE: getting SSL_ERROR_ZERO_RETURN when calling operation from WSDL using axis2c
the openSSL version is 0.9.8l, I also tried using 1.0.0f but same issue the application fails with same error whether run from debugger or outside debugger I tried using wireShark to trace the communication when run from SoapUI and when from my app but the data is encrypted and I don't have server's private key Date: Fri, 3 Feb 2012 13:43:00 +0100 From: jb-open...@wisemo.com To: openssl-users@openssl.org Subject: Re: getting SSL_ERROR_ZERO_RETURN when calling operation from WSDL using axis2c On 2/3/2012 6:13 AM, manoj dhyani wrote: I am using the following WSDL https://nestlepreview.i-nexus.com/nestlepreview/webservices/v1/nexus.wsdl and trying to get data using the operations from the WSDL, the webservice client is written in C using Axis2/c 1.5 with openSSL enabled openSSL version 0.0.8l That doesn't look like a real OpenSSL version number, please double check. the certificated is verified and instead of getting a response axis2c throws a timeout error on debugging axis2/c the SSL_read() call is failing with error SSL_ERROR_XERO_RETURN This *could* be a result of stopping your program in the debugger affecting the actual socket send/recv calls in a way not expected by OpenSSL and/or Axis2. So try running your test program outside the debugger. The same WSDL if used in SoapUI works fine or with any other Java based clients Sounds like the server is OK then. any idea how to debug this issue ? is this a server side problem or client, if other client works I am not sure if it's server side issue or network issue __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
Adding a trusted CA from a BIO or X509*
I have a situation where I'd like my client to validate against my server, but I don't expect the default CA .pem files for openSSL to be there. Is there a way to take SSL_CTX *mySSL_CTX = existing_ssl_ctx; char *foo = valid pem string; BIO *bio = BIO_new_mem_buf(foo, -1); X509 *cert = PEM_read_bio_X509(bio, cert, 0, NULL); and stick it into the the SSL_CTX the way all the sample code does with things like X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); only with the BIO? Or is there a hint at where I should look for a better guess about mapping an X509* somewhere into the CA list for an SSL_CTX* Dan Schmitt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CApath with multiple client certs
I love this toolset; definitely value-add for the community! I am using OpenSSL to run through a sizable number of web server connections (~500), and tell me which certs are getting ready to expire. My utility has worked for a while (a couple years?) on 1.0.0 Beta3, and I recently upgraded to 1.0.0.n. So far, so good... no problems with the upgrade. Now I want to extend my usage of OpenSSL, to handle client-side certificates, because my current utility throws an error on web servers that require a client side certificate. It seems to work (at least some) regardless, because openssl s_client shows the server side certificate before having to provide the client side. But I want to get rid of all the errors, and ensure I'm getting all server side certs. In my lab, I've successfully been able to do manual testing, using the following command from a client: -- openssl s_client -nowait -connect 192.168.1.145:443 -cert .\CA\user\usercert.CRT -key .\CA\user\userkey.KEY And if I dumped both the CRT and KEY into a single PEM file, I could connect like this: -- openssl s_client -nowait -connect 192.168.1.145:443 -cert .\CA\user\combined.PEM [Note: If you're probably wondering what the '-nowait' option is. My utility runs on Windows. Since the distributed version (beta3 and .n) would often hang on the Windows connection, I added a '-nowait' option into the source and re-compiled the Windows version. Real easy, I'll attach the diff to the bottom in case anyone is interested in the change to s_client.] So far I know that when I provide the exact file to use on the command line, it connects fine. Now my challenge... For so many servers, I'd like a flexible openssl call that can use a directory of client certificates/keys, in order to avoid having to specify the cert for each connection command. That lead me towards the -CApath parameter. I believe the 'mklink' option on Win2003 or the CreateSymbolicLink function on Windows 2008 should be able to replace the 'ln -s' code for c_rehash. But I can't get it to work. I always get an ssl handshake failure. Sample failed output below. Maybe I'm not creating the base PEM file correctly before hashing the file to use the CApath? I've tried using a hash file for the CA cert, and one for the combined.PEM (user cert and user key in same file). And I've tried using a hash file with all three in one. I must be doing something obviously wrong. ;( I would appreciate some direction from the SSL gurus. Error snapshot follows: === Loading 'screen' into random state - done CONNECTED(00AC) depth=1 /C=US/ST=Illinois/L=Quincy/O=Leverage Discovery/OU=Administration/CN=CA VERIFIER/emailAddress=supp...@test.netmhtml:{0A5176EE-A535-4161-97E6-387F35505019}mid://1174/!x-usc:mailto:VERIFIER/emailAddress=supp...@test.net verify return:1 depth=0 /C=US/ST=Illinois/O=Leverage Discovery/OU=Administration/CN=192.168.1.145/emailAddress=supp...@test.netmhtml:{0A5176EE-A535-4161-97E6-387F35505019}mid://1174/!x-usc:mailto:Discovery/OU=Administration/CN=192.168.1.145/emailAddress=supp...@test.net verify return:1 7192:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1160:SSL alert number 40 7192:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: --- Certificate chain 0 s:/C=US/ST=Illinois/O=Leverage Discovery/OU=Administration/CN=192.168.1.145/emailAddress=supp...@test.netmhtml:{0A5176EE-A535-4161-97E6-387F35505019}mid://1174/!x-usc:mailto:Discovery/OU=Administration/CN=192.168.1.145/emailAddress=supp...@test.net i:/C=US/ST=Illinois/L=Quincy/O=Leverage Discovery/OU=Administration/CN=CA VERIFIER/emailAddress=supp...@test.netmhtml:{0A5176EE-A535-4161-97E6-387F35505019}mid://1174/!x-usc:mailto:VERIFIER/emailAddress=supp...@test.net 1 s:/C=US/ST=Illinois/L=Quincy/O=Leverage Discovery/OU=Administration/CN=CA VERIFIER/emailAddress=supp...@test.netmhtml:{0A5176EE-A535-4161-97E6-387F35505019}mid://1174/!x-usc:mailto:VERIFIER/emailAddress=supp...@test.net i:/C=US/ST=Illinois/L=Quincy/O=Leverage Discovery/OU=Administration/CN=CA VERIFIER/emailAddress=supp...@test.netmhtml:{0A5176EE-A535-4161-97E6-387F35505019}mid://1174/!x-usc:mailto:VERIFIER/emailAddress=supp...@test.net --- Server certificate -BEGIN CERTIFICATE- MIIDVTCCAv+gAwIBAgIJAItDpW8cTCDAMA0GCSqGSIb3DQEBBQUAMIGjMQswCQYD VQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxDzANBgNVBAcTBlF1aW5jeTEbMBkG A1UEChMSTGV2ZXJhZ2UgRGlzY292ZXJ5MRcwFQYDVQQLEw5BZG1pbmlzdHJhdGlv bjEUMBIGA1UEAxMLQ0EgVkVSSUZJRVIxJDAiBgkqhkiG9w0BCQEWFXN1cHBvcnRA Z2FyZXgubmV0LmNvbTAeFw0xMjAyMDMxOTI5MjBaFw0xMzAyMDIxOTI5MjBaMIGU MQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxGzAZBgNVBAoTEkxldmVy YWdlIERpc2NvdmVyeTEXMBUGA1UECxMOQWRtaW5pc3RyYXRpb24xFjAUBgNVBAMT DTE5Mi4xNjguMS4xNDUxJDAiBgkqhkiG9w0BCQEWFXN1cHBvcnRAZ2FyZXgubmV0 LmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDPCxK0zbev3sHS4GN1uKqJZ4sV gSuZX/BCdwiKA4h8icyU3fI47+emhl+Z6fivOrv7/Hce+kli2vOyQ/YK8qnLAgMB
Re: Adding a trusted CA from a BIO or X509*
On Fri, Feb 03, 2012, Dan Schmitt wrote: I have a situation where I'd like my client to validate against my server, but I don't expect the default CA .pem files for openSSL to be there. Is there a way to take SSL_CTX *mySSL_CTX = existing_ssl_ctx; char *foo = valid pem string; BIO *bio = BIO_new_mem_buf(foo, -1); X509 *cert = PEM_read_bio_X509(bio, cert, 0, NULL); and stick it into the the SSL_CTX the way all the sample code does with things like X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); only with the BIO? Or is there a hint at where I should look for a better guess about mapping an X509* somewhere into the CA list for an SSL_CTX* You can get the X509_STORE structure used by an SSL_CTX with SSL_CTX_get_cert_store(). Once you have that you can call X509_STORE_add_cert() and pass in the X509 structure. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: getting SSL_ERROR_ZERO_RETURN when calling operation from WSDL using axis2c
From: owner-openssl-us...@openssl.org On Behalf Of manoj dhyani Sent: Friday, 03 February, 2012 00:13 I am using the following WSDL https://nestlepreview.i-nexus.com/nestlepreview/webservices/v1/nexus.wsdl and trying to get data using the operations from the WSDL, the webservice client is written in C using Axis2/c 1.5 with openSSL enabled openSSL version 0.0.8l corrected later to 0.9.8l also 1.0.0f the certificated is verified and instead of getting a response axis2c throws a timeout error on debugging axis2/c the SSL_read() call is failing with error SSL_ERROR_XERO_RETURN Do you mean *returning*? 0 returned from SSL_read() is NOT SSL_ERROR_ZERO_RETURN, only 0 from SSL_get_error() is. 0 from SSL_read() means more-or-less-normal end-of-data. (Like recv at the TCP level, or fread or read on a file.) Is this the first SSL_read(), or has Axis2/c already read some data and is trying for more? The same WSDL if used in SoapUI works fine or with any other Java based clients any idea how to debug this issue ? is this a server side problem or client, if other client works I am not sure if it's server side issue or network issue If other clients work, it's logical the error is likely in your client, although not absolutely certain -- there could be a problem elsewhere that your client (only) exposes. On the other hand, if the problem is in your client code (at WS level) and the underlying layers (Axis2/C and OpenSSL) are correct, I would expect/hope to see a SOAP-level error, not just end-of-data. You mention network; did you try other client(s) from your *same* machine, or at least your same network connection (routing etc)? Most network problems would show up during the TCP connection or the SSL handshake, but possibly if the SOAP-level data here is large (and I didn't read through the WSDL to try to figure out) it might trigger an error, and an error at network level could do (forced) FIN and thus (abnormal) end-of-data at SSL level. You note later that you can't decrypt a Wireshark trace without the server privatekey. You can still see the lengths and timing of records; after adjusting for MAC and possibly padding (but on a default poke at the server I got RSA-RC4-SHA which doesn't pad) is your client sending data that's reasonable size for an HTTP header and SOAP body? And receiving similarly? Are you receiving an encrypted alert just before FIN? If so, even without decrypting you can guess it's *probably* shutdown, which would mean either the server thinks it sent a complete/valid reply or it had some internal error, possibly provoked by your request somehow. And if there is any encrypted data received (that is, not encrypted handshake which is the Finished, nor encrypted alert) you should see it in Axis2/C's buffer(s) in the debugger. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: CApath with multiple client certs
From: owner-openssl-us...@openssl.org On Behalf Of Chris Satterthwaite Sent: Friday, 03 February, 2012 15:55 I am using OpenSSL to run through a sizable number of web server connections (~500), and tell me which certs are getting ready to expire. My utility has worked for a while (a couple years?) on 1.0.0 Beta3, and I recently upgraded to 1.0.0.n. snip Aside: 1.0.0 is only up to g. Are you a Time Lord? Now I want to extend my usage of OpenSSL, to handle client-side certificates, because my current utility throws an error on web servers that require a client side certificate. It seems to work (at least some) regardless, because openssl s_client shows the server side certificate before having to provide the client side. But I want to get rid of all the errors, and ensure I'm getting all server side certs. It's actually 'without' not 'before', but same result. In my lab, I've successfully been able to do manual testing, using [-cert and -key, or -cert with combined] [Note: If you're probably wondering what the '-nowait' option is. My utility runs on Windows. Since the distributed version (beta3 and .n) would often hang on the Windows connection, I added a '-nowait' option into the source and re-compiled snip I doubt this is Windows specific. Your command line doesn't show any redirection of input, so if s_client successfully connects it waits for user input to be sent to the server and/or server output to be displayed to the user. Redirect NUL: (actually any filename *beginning* with NUL works, but that's a kludge) or an actual empty file. For so many servers, I'd like a flexible openssl call that can use a directory of client certificates/keys, in order to avoid having to specify the cert for each connection command. That lead me towards the -CApath parameter. I believe the 'mklink' option on Win2003 or the CreateSymbolicLink function on Windows 2008 should be able to replace the 'ln -s' code for c_rehash. But I can't get it to work. I always get an ssl handshake failure. Sample failed output below. snip rest You're looking in entirely the wrong place. Even if symlinks work on Windows and I'm not sure about that, CApath and/or CAfile supply CA certs to use to verify the *server* (in general the peer, which for s_client is the server), *not* prove the client, and no key(s) at all (which is necessary for client to prove). I believe, but haven't tracked down exactly, the default truststore (CApath and/or CAfile) is used to *add* chain certs for the client cert if needed, but it cannot be used to supply the client cert (and key) itself. In general if you want to interactively select client cert+key, you need to set _client_cert_cb (callback) or _client_cert_engine. s_client.c currently has the latter, if you write such an engine; or you can modify s_client.c to include and use a callback you write. Or you could write a custom app which just SSL_connect's and displays the server cert (or only server cert notAfter if that's all you want) and doesn't try to do the many other things s_client does. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CApath with multiple client certs
Hi Dave, Thanks for your ideas and response. Especially the explanation of CApath; very informative. You're right, I'm on version 'g' not 'n'. I'd say it was a typo, but I really thought I was on 'n'. ;) -Chris On Fri, Feb 3, 2012 at 4:48 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Chris Satterthwaite Sent: Friday, 03 February, 2012 15:55 I am using OpenSSL to run through a sizable number of web server connections (~500), and tell me which certs are getting ready to expire. My utility has worked for a while (a couple years?) on 1.0.0 Beta3, and I recently upgraded to 1.0.0.n. snip Aside: 1.0.0 is only up to g. Are you a Time Lord? Now I want to extend my usage of OpenSSL, to handle client-side certificates, because my current utility throws an error on web servers that require a client side certificate. It seems to work (at least some) regardless, because openssl s_client shows the server side certificate before having to provide the client side. But I want to get rid of all the errors, and ensure I'm getting all server side certs. It's actually 'without' not 'before', but same result. In my lab, I've successfully been able to do manual testing, using [-cert and -key, or -cert with combined] [Note: If you're probably wondering what the '-nowait' option is. My utility runs on Windows. Since the distributed version (beta3 and .n) would often hang on the Windows connection, I added a '-nowait' option into the source and re-compiled snip I doubt this is Windows specific. Your command line doesn't show any redirection of input, so if s_client successfully connects it waits for user input to be sent to the server and/or server output to be displayed to the user. Redirect NUL: (actually any filename *beginning* with NUL works, but that's a kludge) or an actual empty file. For so many servers, I'd like a flexible openssl call that can use a directory of client certificates/keys, in order to avoid having to specify the cert for each connection command. That lead me towards the -CApath parameter. I believe the 'mklink' option on Win2003 or the CreateSymbolicLink function on Windows 2008 should be able to replace the 'ln -s' code for c_rehash. But I can't get it to work. I always get an ssl handshake failure. Sample failed output below. snip rest You're looking in entirely the wrong place. Even if symlinks work on Windows and I'm not sure about that, CApath and/or CAfile supply CA certs to use to verify the *server* (in general the peer, which for s_client is the server), *not* prove the client, and no key(s) at all (which is necessary for client to prove). I believe, but haven't tracked down exactly, the default truststore (CApath and/or CAfile) is used to *add* chain certs for the client cert if needed, but it cannot be used to supply the client cert (and key) itself. In general if you want to interactively select client cert+key, you need to set _client_cert_cb (callback) or _client_cert_engine. s_client.c currently has the latter, if you write such an engine; or you can modify s_client.c to include and use a callback you write. Or you could write a custom app which just SSL_connect's and displays the server cert (or only server cert notAfter if that's all you want) and doesn't try to do the many other things s_client does. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org