Re: my code can't connect while openssl s_client can

2012-08-29 Thread Alexandra Druecke 
Sorry for the long delay. I moved and had some holydays afterwards. So I have 
been away from work for some time.

Am Mittwoch, 8. August 2012, 00:44:20 schrieben Sie:
  From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke
  Sent: Tuesday, 07 August, 2012 08:02
  
  I'm using the attached code to connect to a server. This
  works perfectly until
  I had to excange the certificate which now needs two
  additional intermediate
  certs. All certs are merged within one file. The code can
  handle certificate
  chains as it is able to connect to another server with the
  same certificate.
 
 The EE cert and intermediate certs *and* privatekey, since
 otherwise you would have gotten errors you don't report.

Yes, of course. I didn't mentioned them but all certs and keys are included 
except for the root-certificate.

  I tried to connect the server with my new certificate using
  openssl and it
  works fine:
  
  openssl s_client -connect the.server.net:700 -cert myCert.pem
  -CApath mycapath
 
 s_client calls use_certificate, not use_certificate_chain,

Okay, this explains the different behaviour.

 to fill out the (client) chain. If not, apparently your servers
 don't need you to send the full chain; it's entirely possible a
 server has intermediate certs in its truststore and uses them.

Well, I have to send the full chain as the server obviously does not have any 
intermediate certs in its truststore. Moreover I could fix the problem by 
adding the root-certificate to the chain. I expected the root-cert to be 
present on the server-side since the server sends a list of accepted CAs. It 
doesn't make sense to me though anyway it fixes the problem. 


Thanks a lot
 - Alexandra



__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

my code can't connect while openssl s_client can

2012-08-07 Thread Alexandra Druecke 
Good day,

I'm using the attached code to connect to a server. This works perfectly until 
I had to excange the certificate which now needs two additional intermediate 
certs. All certs are merged within one file. The code can handle certificate 
chains as it is able to connect to another server with the same certificate.

I tried to connect the server with my new certificate using openssl and it 
works fine:

openssl s_client -connect the.server.net:700 -cert myCert.pem -CApath mycapath


Summary:

a.) myCode + myCert   -- can connect to  server A
b.) myCode + myCert   -- can't connect to -- server B
c.) openssl s_client + myCert -- can connect to  server A
d.) openssl s_client + myCert -- can connect to  server B

For b.) I found the following error:
3071740832:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad 
certificate:s3_pkt.c:1053:SSL alert number 42

- code -

SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
ctx = SSL_CTX_new(SSLv23_client_method());

SSL_CTX_load_verify_locations(ctx, NULL, mycapath);
SSL_CTX_set_verify_depth(ctx, 5);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
SSL_CTX_use_RSAPrivateKey_file(ctx, myCert.pem, 
SSL_FILETYPE_PEM);
SSL_CTX_use_certificate_chain_file(ctx, myCert.pem);

ssl = SSL_new(ctx);
SSL_CTX_free(ctx);
SSL_set_fd(ssl, socket);
SSL_set_connect_state(ssl);

if((t = SSL_connect(tv-ssl))  0)
{
syslog(LOG_DEBUG, SSL-connection successful.\n);
return(1);
}
ERR_print_errors_fp(stderr);

- /code -

To keep it readable I've removed the error-checking code. All pathes (myCert, 
mycapath) are valid and accessible.


So, any idea why this doesn't work would be greatly appreciated.
 - Alexandra

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org