Problems with client-side certificate verification
Hi, everybody. I'm currently trying to implement a server/client system where the server will only accept connections from clients whose certificate was signed by the server's CA. For security reasons, the client also does verification. When I use s_server, the client-side verification works. When I use my server code, I receive the error message: 11041:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 11041:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: On the server end, if I set the verification depth from 0 to 1, it works. Am I confused about the depth setting, or can anyone tell me if there's something else I might be missing? Thanks much! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with client-side certificate verification
[EMAIL PROTECTED] wrote: 11041:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 11041:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I forgot to include the fact that when I use s_client with my server, it says: --- No client certificate CA names sent --- ..even though I am calling SSL_CTX_load_verify_locations without errors. Hope someone can help me. I've been looking into this for quite some time now. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with client-side certificate verification
if set to 0 it will verify the whole cert chain of any length. root - CA1 - CA2 -EE if set to a number greater then 0 it will verify only chains of that length or less. If the cert chain is greater then the given number validation will fail. In the case below I would think that it would only work if you are using a self signed cert making the verification depth 1. Perry [EMAIL PROTECTED] wrote: Hi, everybody. I'm currently trying to implement a server/client system where the server will only accept connections from clients whose certificate was signed by the server's CA. For security reasons, the client also does verification. When I use s_server, the client-side verification works. When I use my server code, I receive the error message: 11041:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 11041:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: On the server end, if I set the verification depth from 0 to 1, it works. Am I confused about the depth setting, or can anyone tell me if there's something else I might be missing? Thanks much! __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Problems with client-side certificate verification
maybe you have not added the extra CA/root certs to the CTX? SSL_CTX_add_extra_chain_cert( ctx, x509Cert ) Perry [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: 11041:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 11041:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I forgot to include the fact that when I use s_client with my server, it says: --- No client certificate CA names sent --- ..even though I am calling SSL_CTX_load_verify_locations without errors. Hope someone can help me. I've been looking into this for quite some time now. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] smime.p7s Description: S/MIME Cryptographic Signature
Re: Problems with client-side certificate verification
Perry L. Jones wrote: maybe you have not added the extra CA/root certs to the CTX? SSL_CTX_add_extra_chain_cert( ctx, x509Cert ) Perry Thanks. It's passing the certificate now, however, when I set the verification depth to 0 on the server end, the client still fails with the message 11373:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 11373:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I've tried tracking this down, and I cannot seem to find anything that describes why 'bad certificate' is the string associated with this error id. You mentioned that a self-signed certificate wouldn't pass a depth of 0, however, when using s_client and s_server, with these same certificates, it works fine, and it trusts the CA. [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: 11041:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL alert number 42 11041:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:529: I forgot to include the fact that when I use s_client with my server, it says: --- No client certificate CA names sent --- ..even though I am calling SSL_CTX_load_verify_locations without errors. Hope someone can help me. I've been looking into this for quite some time now. Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]