Ok I have some ssldump information for the amchine that doesn't work. I am trying to get the dump on a machine That does work now. The client and server are our own applications. As one other person stated, we already do use SSL_CTX_set_verify (context, SSL_VERIFY_PEER, 0). Just to give a better overview of what is happening. When the client first connects it may not have a certificate so it connects without one but with limited permissions for our server. They then get a certificate/key (flame about this later please :) from the Server and do a renegotiate with the server with the new certificate. The security we implemented was to encrypt the key with a password that only the client should know (human client).
New TCP connection #1: XXXXXXX(12664) <-> XXXXX(6550) 1 1 1.9488 (1.9488) C>S SSLv2 compatible client hello Version 3.1 cipher suites TLS_DHE_DSS_WITH_RC4_128_SHA TLS_DHE_DSS_WITH_RC2_56_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL2_CK_RC464 SSL2_CK_3DES SSL2_CK_DES SSL2_CK_IDEA SSL2_CK_RC2 SSL2_CK_RC2_EXPORT40 SSL2_CK_RC4 SSL2_CK_RC4_EXPORT40 1 2 1.9495 (0.0007) S>CV3.1(74) Handshake ServerHello Version 3.1 random[32]= 3c c5 66 c2 02 21 83 36 96 79 be e9 a8 9e 9f aa ba 10 1c 25 c7 8e dd 34 ab e9 4d 65 9d c5 28 26 session_id[32]= ee ff 33 1f 7c 0d 2e f3 0b f8 f5 52 7a 47 88 16 2e 26 45 b0 a9 f0 ba 51 38 12 32 74 c9 9d 94 15 cipherSuite TLS_DHE_DSS_WITH_RC4_128_SHA compressionMethod NULL 1 3 2.0982 (0.1487) S>CV3.1(1844) Handshake Certificate 1 4 2.0982 (0.0000) S>CV3.1(315) Handshake ServerKeyExchange params DH_p[128]= cd ab 52 93 93 f3 9b 9e 40 b6 98 77 2c c2 f7 a0 33 f2 18 e2 4b 7f 9f bd 5c 0f c7 ba f2 f9 d8 bc ed b8 d5 be fc d8 36 69 d5 03 e3 d0 33 40 21 c5 03 93 ba 89 c1 6e 9f ab 66 82 26 97 b1 8f 9e 3c ac d6 4e 4b a2 83 85 68 d2 6e 93 84 be 08 7d 9f 74 7e d9 d4 09 c1 81 45 df 31 8f 0f 73 cf a3 53 e9 bc 98 55 1a 89 6b 71 a0 09 5a c9 72 a8 55 58 3f fd 39 86 e7 69 70 14 58 61 6b f0 8e 3e ad 43 DH_g[1]= 02 DH_Ys[128]= 20 97 5e 55 34 17 03 8a 99 10 ee ef ce 6d 99 fd 4a 25 0c c5 71 4b ef 2f 15 54 8d d8 b0 6a 89 5d a2 6e ca 43 19 ec 4b 80 52 4d e3 14 0e 84 42 50 d3 23 09 25 75 8b 2d a1 c1 31 04 af a8 bc a0 c2 5f bb 9e 6d 62 ef 1a b7 83 36 05 a9 f6 b8 b7 eb 60 af df 0f d7 bb 1d 89 68 01 ff a1 ca 05 dd 60 65 7c da 7f e0 ff d0 e5 5a 43 c6 e0 26 a5 96 8d 73 eb 1e 63 61 fd 96 2f 55 5c 03 1e b1 3d 12 b0 signature[46]= 30 2c 02 14 36 07 a2 ed 67 83 2c f6 ac f4 7b 96 47 1f 91 04 2f e4 ea b3 02 14 3b 79 84 09 4d 56 e8 78 97 b8 ad 50 94 9c af 93 b6 70 23 6a 1 5 2.0982 (0.0000) S>CV3.1(15) Handshake CertificateRequest certificate_types rsa_fixed_dh certificate_types dss_fixed_dh certificate_types rsa_sign certificate_types dss_sign ServerHelloDone 1 6 2.1419 (0.0436) C>SV3.1(7) Handshake Certificate 1 7 2.1419 (0.0000) C>SV3.1(134) Handshake ClientKeyExchange DiffieHellmanClientPublicValue[128]= 5b 76 e1 13 5e 47 45 b0 74 01 88 63 f6 48 74 c9 7a 38 1e a6 09 08 94 46 6e 14 40 9b dc 32 f6 c7 02 b9 33 bc 5a de fc ba e9 40 57 5a a8 e4 c1 e1 e1 58 11 48 88 43 9a 06 24 0d 98 3f cd 0a 83 c9 96 43 84 cc 10 3d 93 78 94 95 57 58 50 d5 97 86 8f 6c 2a 64 ad 32 d3 60 da 03 6a a7 6a c5 89 8c 4d bd aa 61 37 b6 ed 2c 48 60 eb c2 1d 98 2e 19 93 ac c4 b9 46 7e f2 96 88 ae 98 fb dd a4 b9 4c 1 8 2.1419 (0.0000) C>SV3.1(1) ChangeCipherSpec 1 9 2.1419 (0.0000) C>SV3.1(36) Handshake 1 10 2.2448 (0.1029) S>CV3.1(1) ChangeCipherSpec 1 11 2.2448 (0.0000) S>CV3.1(36) Handshake 1 12 2.2465 (0.0017) C>SV3.1(103) application_data 1 13 2.2474 (0.0008) S>CV3.1(40) application_data 1 14 2.2485 (0.0010) C>SV3.1(159) application_data 1 15 2.2500 (0.0014) S>CV3.1(52) application_data 1 16 2.2508 (0.0008) S>CV3.1(5200) application_data download: 1 26 73.8719 (0.0414) C>SV3.1(115) Handshake 1 27 73.8729 (0.0009) S>CV3.1(94) Handshake 1 28 73.9787 (0.1058) S>CV3.1(1864) Handshake 1 29 73.9789 (0.0002) S>CV3.1(336) Handshake 1 30 73.9789 (0.0000) S>CV3.1(35) Handshake 1 31 74.0222 (0.0433) C>SV3.1(954) Handshake 1 32 74.0234 (0.0011) S>CV3.1(22) Alert 1 74.0244 (0.0009) S>C TCP FIN 1 33 74.0255 (0.0011) C>SV3.1(154) Handshake 1 34 74.0255 (0.0000) C>SV3.1(73) Handshake 1 35 74.0255 (0.0000) C>SV3.1(21) ChangeCipherSpec 1 36 74.0255 (0.0000) C>SV3.1(36) Handshake 1 74.0256 (0.0001) C>S TCP FIN - Andrew T. Finnell Active Solutions L.L.C [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Eric Rescorla > Sent: Monday, April 22, 2002 12:36 PM > To: [EMAIL PROTECTED] > Subject: Re: Certificate Problem / get_peer_certificate > > > "Andrew T. Finnell" <[EMAIL PROTECTED]> writes: > > I do not know. I do not have access to these machines > they are at our > > client's location. I suppose we could try and get them to install > > ssldump and run it. Although I am not sure this is an option. > ssldump can read data captured with 'tcpdump -s 8192 -w' if > that helps at all. > > In general, this sort of thing is very difficult to diagnose > without either ssldump traces or OpenSSL logging info. > > -Ekr > > -- > [Eric Rescorla [EMAIL PROTECTED]] > http://www.rtfm.com/ > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]