> From: owner-openssl-...@openssl.org On Behalf Of mahant > Sent: Saturday, 31 March, 2012 15:22
> I am trying to make a Gsoap call to a HTTPS service, > ... using "soap_ssl_client_context" ... > if (soap_ssl_client_context > (&lp_Soap, > SOAP_SSL_DEFAULT, > "./JT-PROD.prvkey.1024.pem", // This is the private key > generated using > openssl genrsa cmd > NULL, // I dont have any PWD so passing it as null > "/users/spv/spv/mahant/certnew.pem", //MY CA sent me this certificate > NULL, // > NULL) ) > > MY KEy file is in below format <snip PEM> > My certnew.pem is in below format <snip PEM> > MY CA had sent me back 2 file certnew.pem and certnew.p7b, > Not sure how to > use this .p7b file. I am just using certnew.cer at the moment. I assume you mean certnew.pem (as above) not .cer. When you say "MY CA", do you mean a CA you (partly) control like an in-house one, or the public CA you selected? A .p7b file is often used to convey a certificate chain. The cert issued to your client (or other end entity) by a CA can and for a public CA usually does require an intermediate cert or sometimes two or three intermediate certs to form a "chain" between your cert and the CA's trusted root. Try openssl pkcs7 -in certnew.p7b -noout -print_certs to see what certs are in there, and whether it includes your own (client) cert as well as intermediate(s) for it, where the 'issuer' of one cert is the 'subject' of another. It is possible to use a .p7b to contain only an EE cert, but usually no one would bother. (And technically there are other pkcs7 options, but they wouldn't apply here.) > I am getting below errors when i run the application to hit the HTTPS > service > > I am printing below errors in stdsoap2.c using > ERR_get_error() function > > error:0906D06C:PEM routines:PEM_read_bio:no start line > error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib > error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert > handshake failure > SOAP 1.1 fault: SOAP-ENV:Client [no subcode] > "EOF was observed that violates the protocol. The client > probably provided > invalid authentication information." > Detail: SSL_connect error in tcp_connect() > google finds http://www.cs.fsu.edu/~engelen/soapdoc2.html which identifies itself as gSOAP 2.8.7 User Guide and if that's correct it comments soap_ssl_client_context arguments after &soap as SOAP_SSL_DEFAULT, "client.pem", /* keyfile: required only when client must authenticate to server (see SSL docs on how to obtain this file) */ "password", /* password to read the key file (not used with GNUTLS) */ "cacerts.pem", /* cacert file to store trusted certificates (needed to verify server) */ NULL, /* capath to directory with trusted certificates */ NULL /* if randfile!=NULL: use a file with random data to seed randomness */ This says arg 5 and/or 6 should be the CA cert(s) OpenSSL will use to verify the server certificate; that is separate from and typically unrelated to your own client certificate. One place says "The cacert.pem file included in the package contains the certificates of common CAs." but another place says it "includes a cacerts.pem file with the certificates of all certificate authorities such as Verisign" and "cacert.pem ... [is an] example self-signed certificate[]." You may have to look at both to determine which is correct. Or if your server's CA is not a public CA, you need to get the server's CA root cert (in PEM format) by some means you trust, and put it in a file you use for arg 5 (or in a dir with hashname(s) for arg 6). The client call doesn't describe "keyfile", but the server call says it's "[EE] private key concatenated with its certificate". OpenSSL needs this information and no other arg could sensibly provide it, so that seems logical. If your client cert requires chain cert(s) as above, OpenSSL actually needs the full chain either explicitly or in the truststore. The error message you show indicates SSL_CTX_use_certificate_chain_file was called; the only file it makes sense to call this routine on is arg 3, so that file should be your (client) private key concatenated with your cert *chain* in PEM format. Assuming the CA provided a .p7b because your cert has a chain, use the pkcs7 command above without -noout and put the results into a file; make sure your client=EE cert is first in that file (move labels+BEGIN/END block together if not); concatenate that file to your private-key file and give the result as arg 3. Alternatively, you should be able to obtain any needed intermediate cert or certs from the CA website directly. It will typically have instructions vaguely like: "for level2-silver certs, use THIS silver2-intermediate cert; for level3-gold certs issued before April 15 2010 use THIS gold3-intermediate cert here but for level3-gold certs after that date use THIS gold3-transition cert here and THIS new transition cert". Get each needed chain cert to a file and concatenate them; or just copy&paste them into a single file. I'm a bit intrigued gSOAP+OpenSSL apparently proceeded with the handshake after the call to client_context failed. Did you ignore or override an error return somewhere? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
