Re: my code can't connect while openssl s_client can
Sorry for the long delay. I moved and had some holydays afterwards. So I have been away from work for some time. Am Mittwoch, 8. August 2012, 00:44:20 schrieben Sie: From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke Sent: Tuesday, 07 August, 2012 08:02 I'm using the attached code to connect to a server. This works perfectly until I had to excange the certificate which now needs two additional intermediate certs. All certs are merged within one file. The code can handle certificate chains as it is able to connect to another server with the same certificate. The EE cert and intermediate certs *and* privatekey, since otherwise you would have gotten errors you don't report. Yes, of course. I didn't mentioned them but all certs and keys are included except for the root-certificate. I tried to connect the server with my new certificate using openssl and it works fine: openssl s_client -connect the.server.net:700 -cert myCert.pem -CApath mycapath s_client calls use_certificate, not use_certificate_chain, Okay, this explains the different behaviour. to fill out the (client) chain. If not, apparently your servers don't need you to send the full chain; it's entirely possible a server has intermediate certs in its truststore and uses them. Well, I have to send the full chain as the server obviously does not have any intermediate certs in its truststore. Moreover I could fix the problem by adding the root-certificate to the chain. I expected the root-cert to be present on the server-side since the server sends a list of accepted CAs. It doesn't make sense to me though anyway it fixes the problem. Thanks a lot - Alexandra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
my code can't connect while openssl s_client can
Good day, I'm using the attached code to connect to a server. This works perfectly until I had to excange the certificate which now needs two additional intermediate certs. All certs are merged within one file. The code can handle certificate chains as it is able to connect to another server with the same certificate. I tried to connect the server with my new certificate using openssl and it works fine: openssl s_client -connect the.server.net:700 -cert myCert.pem -CApath mycapath Summary: a.) myCode + myCert -- can connect to server A b.) myCode + myCert -- can't connect to -- server B c.) openssl s_client + myCert -- can connect to server A d.) openssl s_client + myCert -- can connect to server B For b.) I found the following error: 3071740832:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1053:SSL alert number 42 - code - SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); ctx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_load_verify_locations(ctx, NULL, mycapath); SSL_CTX_set_verify_depth(ctx, 5); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); SSL_CTX_use_RSAPrivateKey_file(ctx, myCert.pem, SSL_FILETYPE_PEM); SSL_CTX_use_certificate_chain_file(ctx, myCert.pem); ssl = SSL_new(ctx); SSL_CTX_free(ctx); SSL_set_fd(ssl, socket); SSL_set_connect_state(ssl); if((t = SSL_connect(tv-ssl)) 0) { syslog(LOG_DEBUG, SSL-connection successful.\n); return(1); } ERR_print_errors_fp(stderr); - /code - To keep it readable I've removed the error-checking code. All pathes (myCert, mycapath) are valid and accessible. So, any idea why this doesn't work would be greatly appreciated. - Alexandra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org