all certs in chain validate, get "tlsv1 alert unknown ca"

Sat, 07 Mar 2009 10:13:03 -0800 

Hi,

I'm running into an issue (with both 0.9.7l and 0.9.8g) where I'm
attempting to connect to a server with a client certificate and what
appears to be a complete chain of server certificates, and yet I'm
still getting the 'unknown ca' error.

My command line is:

openssl s_client \
 -connect [HOST]:443 \
 -CAfile server_chain.pem \
 -cert client_keypair.pem \
 -key client_keypair.pem

The output I see is (from 0.9.8g on Ubuntu, and I've redacted the
company details):
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify return:1
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
verify return:1
depth=0 /C=[HOST]/ST=[HOST]/L=[HOST]/O=[COMPANY NAME]./OU=[HOST]/CN=[HOST]
verify return:1
4645:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1053:SSL alert number 48
4645:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

To my (admittedly noob-ish) eyes, it appears that everything in the
chain has been validated successfully. If I remove the -CAfile
parameter, I get the following output (again 0.9.8g on Ubuntu):

CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
4661:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1053:SSL alert number 48
4661:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

The above makes a little more sense to me, as the CA certificate isn't
(I guess) in the default set shipped with the OS. Similar errors occur
in 0.9.7l on MacOSX 10.5.6, but with different line numbers in the
source files.

Is there something I'm doing wrong here?

Many thanks,
Paul
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to