Re: iPlanet/Crypt-SLLeay v.37

[Martin Witzel]

Each of the two servers is performing client authentication. One of the
servers can verify your client certificate (i.e., it knows and trusts the
signer
of your client cert). The other server rejects your client certificate,
probably
because it is unable to verify the client certificate with the signer's
key.
A server which performs client authentication needs to have the
Certification
Authority's certificate which signed your client certificate and must trust
this
certificate.

Regards, Martin


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

iPlanet/Crypt-SLLeay v.37

[John Lien]

Hi,

I have a Perl script that fails on iPlanet web servers, but works on all the
others I have encountered.  Below is the script and the outputs from a
failed fetch and a successful fetch.

Perhaps iPlanet is looking for a slightly different format in the cert and
key files?  I'd appreciate any help you may be to offer.

Thanks,
John


o PERL Script

#!/usr/bin/perl
use strict;
use LWP::UserAgent;

my $ua;
my $request;
my $response;

#$ENV{HTTPS_VERSION} = '3';
$ENV{HTTPS_DEBUG} = 8;

$ENV{HTTPS_CERT_FILE} = '/x/fwire/apl/dt_cl.crt';
$ENV{HTTPS_KEY_FILE}  = '/x/fwire/apl/dt.key';

print url is $url\n;

$ua = LWP::UserAgent-new();
$request = new HTTP::Request('GET', $url );
$response = $ua-request($request);



o DEBUG output from URL that fails:
ieh1: perl df.pl
url is https://www.rmao.com/OASIS/CSU/data/LIST?LIST_NAME=LISTFMT=DATA
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:certificate unknown
SSL_connect:failed in SSLv3 read finished A
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:certificate unknown
SSL_connect:failed in SSLv3 read finished A
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:SSLv2 read server hello A
SSL_connect:SSLv2 write client master key A
SSL_connect:SSLv2 client start encryption
SSL_connect:SSLv2 write client finished A
SSL_connect:SSLv2 read server verify A
SSL_connect:SSLv2 read server finished A
SSL_connect:SSLv2 write client certificate A
SSL_connect:error in SSLv2 read server finished A
=== response as string is:
500 (Internal Server Error) SSL negotiation failed: error:1406C0C8:SSL
routines:GET_SERVER_FINISHED:peer error
Client-Date: Mon, 22 Jul 2002 22:13:06 GMT




o DEBUG output from URL that works:
ieh1: df.pl
url is https://vacar.jtsin.com/OASIS/DUK/data/LIST?LIST_NAME=LISTFMT=DATA
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
=== response as string is:
HTTP/1.1 200 OK
Connection: close
Date: Mon, 22 Jul 2002 22:18:11 GMT
Server: Microsoft-IIS/4.0
Content-Type: text/x-oasis-csv
Client-Date: Mon, 22 Jul 2002 22:15:43 GMT
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=Digital Signature Trust Co./OU=TrustID
Server/CN=TrustID Server CA A5
Client-SSL-Cert-Subject: /C=US/O=ISO NEW ENGLAND/OU=ISO NEW
ENGLAND/CN=vacar.jtsin.com
Client-SSL-Cipher: RC4-MD5
Client-SSL-Warning: Peer certificate not verified

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]