Sandeep, I put the whole chain in the client's cert file client1ica1.test.com.pem.
Thanks! Mary On Thu, Jun 2, 2011 at 4:16 AM, sandeep kiran p <[email protected]>wrote: > I searched through the list of certificates that you have sent but could > not find the issuer certificate for client1ica1.test.com.pem. > > E:\ssl\install\test\tls\test.com>openssl x509 -issuer -in > client1ica1.test.com.pem -noout > issuer= /C=US/ST=CO/L=Denver/O=CCG/OU=XCP/CN=ica1.test.com > > Unless the server has access to a certificate whose subject is > "/C=US/ST=CO/L=Denver/O=CCG/OU=XCP/CN=ica1.test.com", certificate > verification would fail. > > depth=0 C = US, ST = CO, L = Denver, O = CCG, OU = XCP, CN = > client1ica1.test.com > verify error:num=20:unable to get local issuer certificate > > Thanks, > Sandeep > > On Wed, Jun 1, 2011 at 10:40 AM, Mary Zhang <[email protected]>wrote: > >> In fact, I just found that openssl s_sever gives same result of untrusted >> client cert - I forgot to specify "Verify" option to require client auth. >> >> It looks like the s_client didn't send the certificate chain from the >> client cert file to server side, and the server cannot build the chain for >> validation. >> However, if I add client's intermediate CA to server's ca file (the root >> ca always there), then it works. >> >> Double check, should the cert chain be sent over by client and server only >> need have the root ca in its ca file? Or server need include the >> intermediate CA in its ca file directly? >> >> And how can I force s_client to send the cert chain to server if it's >> supported? >> >> BTW, my test certs are attached (created using xca), my test cmds are: >> >> openssl s_server -cert tls/example.com/cert.pem -CAfile tls/ >> test.com/ca.pem -accept 8888 -Verify 10 >> openssl s_client -connect localhost:8888 -msg -showcerts -cert >> client1ica1.test.com.pem >> >> >> Thanks! >> >> Mary >> >> >> On Sat, May 28, 2011 at 10:42 AM, sandeep kiran p < >> [email protected]> wrote: >> >>> Can you verify the client certificate using "openssl verify" with -CApath >>> and -CAfile similar to what you have used in >>> >>> SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) >>> >>> Does it work if you specify only the client cert and not the entire chain >>> when using s_client? >>> >>> /Sandeep >>> >>> On Sat, May 28, 2011 at 12:18 AM, Mary Zhang <[email protected]>wrote: >>> >>>> Ziyu, please see my answers inline. >>>> >>>> Thanks! >>>> >>>> Mary >>>> >>>> 2011/5/27 Ziyu Liu <[email protected]> >>>> >>>>> >>>>> At 2011-05-27 13:27:43,"Mary Zhang" <[email protected]> wrote: >>>>> >>>>> Thanks, Ziyu. >>>>> >>>>> >The certificate is ok. >>>>> >In fact, openssl s_client using same test cert works fine against >>>>> openssl >s_server, and if I put the intermediate CA into my SSL server's >>>>> ca >>>>> file, it >works as well. >>>>> >>>>> Did you attach the intermediate CA to your client certificate chain >>>>> file? >>>>> >>>>> [Mary] Yeah, client cert file contains the whole chain. >>>> >>>>> >>>>> >So the issue is that my SSL server is not building the cert chain >>>>> >correctly to validate against the root ca. >>>>> >And I'm not sure whether I missed some call/config to enable the cert >>>>> >chain validation. >>>>> >>>>> There is no specific difference between cert or cert chain. >>>>> What verification depth have you set? >>>>> Have you set the same CN when generating the root CA and intermediate >>>>> CA? >>>>> >>>>> [Mary] You mean for validation of cert or cert chain, there is >>>> no difference in code: same code should work? >>>> That's what I expected, but somehow it failed with chain case >>>> only. >>>> >>>>> The verification depth is set to 10 by default (previous other's code), >>>>> I may double check that part. >>>>> >>>>> The root CA and intermediate CA have different CNs. And I used >>>> xca to create them. >>>> >>>> >>>>> You can test your server with the certifcates in my attachment. >>>>> Structure: >>>>> rootcert.pem signs servercert.pem,a intermediate cert which is in the >>>>> clientchian.pem >>>>> a intermediate cert signs the clientcert.pem. >>>>> [Mary] Will try, but my test certs work fine with OpenSSL s_client and >>>>> s_server, and so don't think the certs have issue. >>>>> >>>>> >>>> >>>>> Thanks! >>>>> >>>>> Mary >>>>> >>>>> 2011/5/26 Ziyu Liu <[email protected]> >>>>> >>>>>> Use the command 'openssl x509 -in serverCA.pem -text -noout' to check >>>>>> if your certificate is generated ok.When you are goting to use the >>>>>> intermediate CA , you must use X509 v3 extension. >>>>>> Check if you have this content: >>>>>> * X509v3 extensions: >>>>>> X509v3 Basic Constraints: >>>>>> CA:TRUE* >>>>>> >>>>>> >>>>>> At 2011-05-27 06:53:04,"Mary Zhang" <[email protected]> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I am using OpenSSL for a SSL server and "openssl s_client" to test it >>>>>> with client auth required. >>>>>> Self-sigend root cert is used for creating client certs, and the >>>>>> self-signed root cert is added to SSL server's trusted ca file. >>>>>> >>>>>> It works fine when client cert has no chain, but if the client cert is >>>>>> created by an intermediate ca which is signed by previous root ca, the >>>>>> SSL >>>>>> server failed with unknown ca. >>>>>> From the debug trace, looks like s_client sent the whole chain (the >>>>>> client cert file contains the private key and the whole chain in PEM >>>>>> format). >>>>>> >>>>>> I've thought that OpenSSL will automatically build the chain based on >>>>>> what sent from client, and since the root ca is trusted, and it should >>>>>> work. >>>>>> Am I wrong? Do I need get the client's cert chain and set to the SSL >>>>>> CTX for validation? >>>>>> >>>>>> BTW, here are the functions used: >>>>>> >>>>>> SSL_CTX_new(SSLv23_method()); >>>>>> >>>>>> >>>>>> SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_BOTH); >>>>>> >>>>>> SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); >>>>>> >>>>>> >>>>>> SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) >>>>>> >>>>>> SSL_CTX_use_certificate_chain_file(ctx, cert_fname) >>>>>> >>>>>> SSL_CTX_use_PrivateKey_file(ctx, cert_fname, SSL_FILETYPE_PEM) >>>>>> >>>>>> STACK_OF(X509_NAME) *ca_certs = SSL_load_client_CA_file((char >>>>>> *)ca_fname); >>>>>> >>>>>> SSL_CTX_set_client_CA_list(ctx, ca_certs); >>>>>> >>>>>> >>>>>> SSL_CTX_load_verify_locations(ctx, (char*)ca_fname, ca_path_ptr) >>>>>> >>>>>> >>>>>> >>>>>> SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, >>>>>> NULL); >>>>>> >>>>>> >>>>>> SSL_CTX_set_verify_depth(ctx, _verify_depth); >>>>>> >>>>>> >>>>>> Thank you very much! >>>>>> >>>>>> >>>>>> Mary >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>> >>> >> >
