Thanks Vincenzo. Now it's clear. Unfortunately, the problem here is that I get this "handshake failure" fault during an axis invocation from inside globus service in a GT4 container towards the VOMS server.
How can I set this low-lewel openssl parameter (CAPath) for this axis invocation? Moreover a generic GET HTTPS call from inside the same GT4 service works correctly. For this reason I think that "globus" overwrites in some sense the standard SSL behavior (cog ?). Is it possible? Andrea On Thu, Feb 26, 2009 at 1:47 PM, Vincenzo Ciaschini <[email protected]> wrote: > Andrea Turli wrote: >> >> I don't know if this will answer you're questions but I've tried these >> three commands: >> >> $ openssl verify -CApath /etc/grid-security/certificates -purpose >> sslclient /etc/grid-security/containercert.pem >> /etc/grid-security/containercert.pem: OK >> >> $ openssl verify -purpose sslclient /etc/grid-security/containercert.pem >> /etc/grid-security/containercert.pem: >> /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it >> error 20 at 0 depth lookup:unable to get local issuer certificate > > The difference here is the missing -CApath in the second command, which > confirms the act that you did not put hem in /certs instead. > > In this situation, all your openssl subcommands should specify the -CApath > option if that option is available. For example, verify, s_client and > s_server should, x509 should not. > > Which means, retry this command: > openssl s_client -CApath /etc/grid-security/certificates -connect > localhost:443 > > instead of just: > openssl s_client -connect localhost:443 > > Ciao, > Vincenzo > >> >> Wnat could be the solution? >> >> Andrea >> >> >> >> On Thu, Feb 26, 2009 at 11:35 AM, Vincenzo Ciaschini >> <[email protected]> wrote: >>> >>> Vincenzo Ciaschini wrote: >>>> >>>> Tom Scavo wrote: >>>>> >>>>> On Wed, Feb 25, 2009 at 10:23 AM, Andrea Turli <[email protected]> >>>>> wrote: >>>>>> >>>>>> This command also >>>>>> >>>>>> openssl s_client -connect localhost:443 >>>>>> >>>>>> doesn't work >>>>>> >>>>>> This is the stacktrace I can see: >>>>>> CONNECTED(00000003) >>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it >>>>>> verify error:num=20:unable to get local issuer certificate >>>>>> verify return:1 >>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it >>>>>> verify error:num=27:certificate not trusted >>>>>> verify return:1 >>>>>> depth=0 /C=IT/O=INFN/OU=Host/L=ENGINEERING RDLAB/CN=grids16.eng.it >>>>>> verify error:num=21:unable to verify the first certificate >>>>>> verify return:1 >>>>>> 20978:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad >>>>>> certificate:s3_pkt.c:1046:SSL alert number 42 >>>>>> 20978:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >>>>>> failure:s23_lib.c:226: >>>> >>>> This error trace seem to hint to the fact that OpenSSL could not find >>>> the >>>> CA certificate of the grids16.eng.it host cert in the CA store. What is >>>> the >>>> default value of -CApath when one does not specify it? >>> >>> It is '/certs'. I assume you do not have it, right? >>> >>>> Are you sure you have the CA certificate installed? >>> >>> Ciao, >>> Vincenzo >>> >>> >>> > > >
