Re: Certificate Problem / get_peer_certificate
"Andrew T. Finnell" <[EMAIL PROTECTED]> writes: > I do a SSL_get_peer_certificate and everything works for a while. > But all of a sudden I never get a certificate from the client. This > causes our server to think the client isn't validated. The only way we > seem to be able to fix this is to re-create all new certificates. The > certificates are set to expire in a year but the problem occurs within > weeks/months of deployment and continues to happen. Does anyone have any > insight on how this could be happening? Thank you for your time. What does ssldump say? -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate Problem / get_peer_certificate
Eric, I do not know. I do not have access to these machines they are at our client's location. I suppose we could try and get them to install ssldump and run it. Although I am not sure this is an option. - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Rescorla > Sent: Monday, April 22, 2002 12:25 PM > To: [EMAIL PROTECTED] > Subject: Re: Certificate Problem / get_peer_certificate > > > "Andrew T. Finnell" <[EMAIL PROTECTED]> writes: > > I do a SSL_get_peer_certificate and everything works for a > while. But > > all of a sudden I never get a certificate from the client. > This causes > > our server to think the client isn't validated. The only > way we seem > > to be able to fix this is to re-create all new certificates. The > > certificates are set to expire in a year but the problem > occurs within > > weeks/months of deployment and continues to happen. Does > anyone have > > any insight on how this could be happening? Thank you for your time. > What does ssldump say? > > -Ekr > > -- > [Eric Rescorla [EMAIL PROTECTED]] > http://www.rtfm.com/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Certificate Problem / get_peer_certificate
"Andrew T. Finnell" <[EMAIL PROTECTED]> writes: > I do not know. I do not have access to these machines they are > at our client's location. I suppose we could try and get them to install > ssldump and run it. Although I am not sure this is an option. ssldump can read data captured with 'tcpdump -s 8192 -w' if that helps at all. In general, this sort of thing is very difficult to diagnose without either ssldump traces or OpenSSL logging info. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Certificate Problem / get_peer_certificate + ssldump
eCipherSpec 1 11 2.2448 (0.) S>CV3.1(36) Handshake 1 12 2.2465 (0.0017) C>SV3.1(103) application_data 1 13 2.2474 (0.0008) S>CV3.1(40) application_data 1 14 2.2485 (0.0010) C>SV3.1(159) application_data 1 15 2.2500 (0.0014) S>CV3.1(52) application_data 1 16 2.2508 (0.0008) S>CV3.1(5200) application_data download: 1 26 73.8719 (0.0414) C>SV3.1(115) Handshake 1 27 73.8729 (0.0009) S>CV3.1(94) Handshake 1 28 73.9787 (0.1058) S>CV3.1(1864) Handshake 1 29 73.9789 (0.0002) S>CV3.1(336) Handshake 1 30 73.9789 (0.) S>CV3.1(35) Handshake 1 31 74.0222 (0.0433) C>SV3.1(954) Handshake 1 32 74.0234 (0.0011) S>CV3.1(22) Alert 174.0244 (0.0009) S>C TCP FIN 1 33 74.0255 (0.0011) C>SV3.1(154) Handshake 1 34 74.0255 (0.) C>SV3.1(73) Handshake 1 35 74.0255 (0.) C>SV3.1(21) ChangeCipherSpec 1 36 74.0255 (0.) C>SV3.1(36) Handshake 174.0256 (0.0001) C>S TCP FIN - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Rescorla > Sent: Monday, April 22, 2002 12:36 PM > To: [EMAIL PROTECTED] > Subject: Re: Certificate Problem / get_peer_certificate > > > "Andrew T. Finnell" <[EMAIL PROTECTED]> writes: > > I do not know. I do not have access to these machines > they are at our > > client's location. I suppose we could try and get them to install > > ssldump and run it. Although I am not sure this is an option. > ssldump can read data captured with 'tcpdump -s 8192 -w' if > that helps at all. > > In general, this sort of thing is very difficult to diagnose > without either ssldump traces or OpenSSL logging info. > > -Ekr > > -- > [Eric Rescorla [EMAIL PROTECTED]] > http://www.rtfm.com/ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List[EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
