Re: my code can't connect while openssl s_client can
Sorry for the long delay. I moved and had some holydays afterwards. So I have been away from work for some time. Am Mittwoch, 8. August 2012, 00:44:20 schrieben Sie: > > From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke > > Sent: Tuesday, 07 August, 2012 08:02 > > > > I'm using the attached code to connect to a server. This > > works perfectly until > > I had to excange the certificate which now needs two > > additional intermediate > > certs. All certs are merged within one file. The code can > > handle certificate > > chains as it is able to connect to another server with the > > same certificate. > > The EE cert and intermediate certs *and* privatekey, since > otherwise you would have gotten errors you don't report. Yes, of course. I didn't mentioned them but all certs and keys are included except for the root-certificate. > > I tried to connect the server with my new certificate using > > openssl and it > > works fine: > > > > openssl s_client -connect the.server.net:700 -cert myCert.pem > > -CApath mycapath > > s_client calls use_certificate, not use_certificate_chain, Okay, this explains the different behaviour. > to fill out the (client) chain. If not, apparently your servers > don't need you to send the full chain; it's entirely possible a > server has intermediate certs in its truststore and uses them. Well, I have to send the full chain as the server obviously does not have any intermediate certs in its truststore. Moreover I could fix the problem by adding the root-certificate to the chain. I expected the root-cert to be present on the server-side since the server sends a list of accepted CAs. It doesn't make sense to me though anyway it fixes the problem. Thanks a lot - Alexandra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: my code can't connect while openssl s_client can
> From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke > Sent: Tuesday, 07 August, 2012 08:02 > I'm using the attached code to connect to a server. This > works perfectly until > I had to excange the certificate which now needs two > additional intermediate > certs. All certs are merged within one file. The code can > handle certificate > chains as it is able to connect to another server with the > same certificate. > The EE cert and intermediate certs *and* privatekey, since otherwise you would have gotten errors you don't report. > I tried to connect the server with my new certificate using > openssl and it > works fine: > > openssl s_client -connect the.server.net:700 -cert myCert.pem > -CApath mycapath > s_client calls use_certificate, not use_certificate_chain, and thus uses only the EE cert from myCert.pem, ignoring others. Do you have the intermediates in mycapath (with hashlinks/names)? OpenSSL (and s_client) will use certs from CApath and/or CAfile to fill out the (client) chain. If not, apparently your servers don't need you to send the full chain; it's entirely possible a server has intermediate certs in its truststore and uses them. And these might differ because quite a few CAs, especially newer or less established one, have "cross" and/or "upgrade" certificates for/above their intermediates, giving multiple different chains, which different reliers may or may not trust. > > Summary: > > a.) myCode + myCert -- can connect to > server A > b.) myCode + myCert -- can't connect to --> server B > c.) openssl s_client + myCert -- can connect to > server A > d.) openssl s_client + myCert -- can connect to > server B > > For b.) I found the following error: > 3071740832:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 > alert bad > certificate:s3_pkt.c:1053:SSL alert number 42 > Use -debug to see exactly what certs s_client is sending in b, or if you are on Windows or Mac use www.wireshark.org to monitor and display b (more work to set up but easier to read), and compare it to the certs in your myCert.pem . I also notice that line number appears to be for fips-1.2.3. Is your app using a FIPS build of OpenSSL *in FIPS mode*? If so, that might affect the suites used, although your cert is apparently RSA, which is permitted in FIPS -- unless it is too few bits and something is (already?) enforcing that. I believe commandline doesn't default to FIPS mode even in a FIPS build, but I don't use it myself and am not familiar. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
my code can't connect while openssl s_client can
Good day, I'm using the attached code to connect to a server. This works perfectly until I had to excange the certificate which now needs two additional intermediate certs. All certs are merged within one file. The code can handle certificate chains as it is able to connect to another server with the same certificate. I tried to connect the server with my new certificate using openssl and it works fine: openssl s_client -connect the.server.net:700 -cert myCert.pem -CApath mycapath Summary: a.) myCode + myCert -- can connect to > server A b.) myCode + myCert -- can't connect to --> server B c.) openssl s_client + myCert -- can connect to > server A d.) openssl s_client + myCert -- can connect to > server B For b.) I found the following error: 3071740832:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1053:SSL alert number 42 - - SSL_load_error_strings(); SSLeay_add_ssl_algorithms(); ctx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_load_verify_locations(ctx, NULL, "mycapath"); SSL_CTX_set_verify_depth(ctx, 5); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); SSL_CTX_use_RSAPrivateKey_file(ctx, "myCert.pem", SSL_FILETYPE_PEM); SSL_CTX_use_certificate_chain_file(ctx, "myCert.pem"); ssl = SSL_new(ctx); SSL_CTX_free(ctx); SSL_set_fd(ssl, socket); SSL_set_connect_state(ssl); if((t = SSL_connect(tv->ssl)) > 0) { syslog(LOG_DEBUG, "SSL-connection successful.\n"); return(1); } ERR_print_errors_fp(stderr); - - To keep it readable I've removed the error-checking code. All pathes (myCert, mycapath) are valid and accessible. So, any idea why this doesn't work would be greatly appreciated. - Alexandra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org