So far so good.
Are you running OSP to do this? Which cisco engineer were you working with?
The "> > >6d01h: SSL: process certificate" is when IOS attempts to respond
with its client certificate. I don't know openssl but aren't you trying to
_not_ request the client cert?
- max
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Dennis Xu
> Sent: Tuesday, March 14, 2000 9:13 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Urgent help! -- failed in SSLv3 read client certificate.
>
>
> IOS 12.0.7T is used in my Cisco router, which is introduced SSL to support
> OSP (interdomain VOIP settlement) communications between Cisco router and
> our application server.
> The engineer of Cisco told me, in this version, no client certificate sent
> at SSL connection setup phase. So I have to disable the client
> authentication, in order to not request client's certificate. So
> I failed on
> my server side.
>
> I tried my SSL server without "verify". For openssl s_client, it works
> well, client really didnot send its certificate out. But for router as a
> client, it failed. The error message at both side are the same, as if it
> doesn't work.
>
> Could someone have any idea & advices?
>
> Thanks in advace,
>
> Dennis
>
> #show run
> crypto ca certificate chain netruencc.com
> certificate 2091EC132A491950C6BD873377D5E2F5
> 308202DA 30820243 A0030201 02021020 91EC132A 491950C6 BD873377 D5E2F530
> 0D06092A 864886F7 0D010104 05003056 3111300F 06035504 07130849 6E746572
> 6E657431 17301506 0355040A 130E5665 72695369 676E2C20 496E632E 31283026
> 06035504 0B131F56 65726953 69676E20 4F6E5369 74652053 75627363 72696265
> 72204465 6D6F301E 170D3030 30333034 30303030 30305A17 0D303030 35303332
> 33353935 395A3047 3145301B 06092A86 4886F70D 01090813 0E323037 2E39352E
> 3232372E 31353130 2606092A 864886F7 0D010902 16196369 73636F32 3630302D
> 312E6E65 74727565 6E63632E 636F6D30 5C300D06 092A8648 86F70D01 01010500
> 034B0030 48024100 B61C1955 F7CA1433 2EA90FF1 F3F71E86 00088B5B 28A88E6A
> C4927661 EF16389E 3108DE87 84EE9E6C 9E07DE56 ECDE55D3 9542006C 8C4B0E59
> 75CED1C1 34DC1621 02030100 01A381FB 3081F830 0B060355 1D0F0404 030205A0
> 302A0603 551D1104 23302182 19636973 636F3236 30302D31 2E6E6574 7275656E
> 63632E63 6F6D8704 CF5FE397 30090603 551D1304 02300030 81B10603 551D1F04
> 81A93081 A63081A3 A081A0A0 819D8681 9A6C6461 703A2F2F 64697265 63746F72
> 792E7665 72697369 676E2E63 6F6D2F4F 55203D20 56657269 5369676E 204F6E53
> 69746520 53756273 63726962 65722044 656D6F2C 204F203D 20225665 72695369
> 676E2C20 496E632E 222C204C 203D2049 6E746572 6E65743F 63657274 69666963
> 61746572 65766F63 6174696F 6E6C6973 743B6269 6E617279 3F626173 653F6F62
> 6A656374 636C6173 733D2A30 0D06092A 864886F7 0D010104 05000381 8100CD12
> DA18A0D8 DA9D820E 322799EE ECCB222A 53696958 09757F8E 2B5E4915 37AEF874
> 27A3D6F0 61271AC9 41C73970 C2E2DED4 689FE831 85EAF7F7 7E8986DE 64E5A4B5
> 133C755A FFF9544F CE00CA98 372C4135 C3563535 26A60912 BAF35ACC 5AFE124F
> E9644EDC 2413CD24 E22E052E 28B80F1F 13EE765F EADD0736 9C158A62 16FA
> quit
> certificate ca 208F05124449BF80A46412941971C51B
> 30820251 308201BA A0030201 02021020 8F051244 49BF80A4 64129419 71C51B30
> 0D06092A 864886F7 0D010105 05003056 3111300F 06035504 07130849 6E746572
> 6E657431 17301506 0355040A 130E5665 72695369 676E2C20 496E632E 31283026
> 06035504 0B131F56 65726953 69676E20 4F6E5369 74652053 75627363 72696265
> 72204465 6D6F301E 170D3939 30363238 30303030 30305A17 0D303930 36323732
> 33353935 395A3056 3111300F 06035504 07130849 6E746572 6E657431 17301506
> 0355040A 130E5665 72695369 676E2C20 496E632E 31283026 06035504 0B131F56
> 65726953 69676E20 4F6E5369 74652053 75627363 72696265 72204465 6D6F3081
> 9F300D06 092A8648 86F70D01 01010500 03818D00 30818902 818100DF 5CD670BE
> 7E095A27 DAC990E0 9680D7ED FDF644CC 17D80E04 C2DD6D03 196B242C 92A59116
> 5D6EF1D2 DD81D4A6 40F2524C 05EB613A A4EAB392 365B6EB8 12312884 C1F3E0DE
> 13C9B26C EC821CAA 5765E147 05713C43 F465C748 7FBC9D31 222312BC 6135D02A
> 6DD6789E A3A98A77 4A33D182 BCAE774A 6F214931 683393F0 0FB83F02 03010001
> A320301E 300F0603 551D1304 08300601 01FF0201 00300B06 03551D0F 04040302
> 0106300D 06092A86 4886F70D 01010505 00038181 00BC6D55 FA3E44D7 921746E3
> B6382D50 465146F0 F760EE23 EAFB0C64 C8D50C11 5F968CAC 879A966E 48E000EF
> 85F6A3FE AF81C1B7 CCBE61E3 770ADC13 00DBC7B1 C3CD6D48 570D1614 E985CC33
> 3B77A6B7 2610A92E 802A0865 7FFC7468 16F60C69 9BB168C4 C302FEDC C100A6E7
> 539F3AF9 C7AB9E66 A59F352B 4AF1C668 6BD6C6FB 0C
> quit
>
> ----- Original Message -----
> From: "Max Pritikin" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Monday, March 13, 2000 5:33 PM
> Subject: Re: Urgent help! -- failed in SSLv3 read client certificate.
>
>
> > What version of IOS are you running on the router? What did you do make
> > it connect via SSL to the server?
> >
> > I'll bet that the router is sending both the ca certificate
> (recieved when
> > you
> > did 'cr ca auth identname') and the router certificate
> (recieved when you
> > did
> > 'cr ca enroll identname') as a cert chain.
> >
> > - max
> >
> > -----Original Message-----
> > From: Dennis Xu <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
> > Date: Monday, March 13, 2000 4:32 PM
> > Subject: Re: Urgent help! -- failed in SSLv3 read client certificate.
> >
> >
> > >The client is Cisco router. The keypair is generated by
> itself, and CA is
> > >Verisign OnSite (IPSec).
> > >The debug info from client side is following:
> > >
> > >6d01h: SSL Client Initialization Successful.
> > >6d01h: SSL: client hello encoded successfully.
> > >6d01h: SSL: write record: type: ssl handshake.
> > >6d01h: 01 00 00 2F 03 00 38 CC 27 51 E3 8F 2B F4 88 2A 66 AC E7 B3
> > >6d01h: E1 42 7B C5 59 A2 1A E4 9B 8E 15 AA 47 6A 51 91 71 78 00 00
> > >6d01h: 08 00 08 00 09 00 0E 00 0F 01 00
> > >6d01h: SSL write: 56 bytes to tcb 81D2279C
> > >6d01h: SSL: read 5 bytes from tcb: 81D2279C
> > >6d01h: SSL: read 74 bytes from tcb: 81D2279C6d01h: SSL: process
> > server_hello
> > >6d01h: SSL: server hello processed successfully.
> > >6d01h: SSL: read 5 bytes from tcb: 81D2279C
> > >6d01h: SSL: read 1484 bytes from tcb: 81D2279C
> > >6d01h: SSL: process certificate
> > >6d01h: SSL: write record: type: ssl alter
> > >6d01h: 02 00
> > >6d01h: SSL Handshake failed for session 1, sock 0
> > >6d01h: SSL: write record: type: ssl alter
> > >6d01h: 01 00
> > >6d01h: SSL write: 7 bytes to tcb 81D2279C
> > >6d01h: SSL write: 7 bytes to tcb 81D2279C
> > >Error: failed to create a new SSL connection
> > >
> > >Hope it is helpful,
> > >
> > >Thanks in advance,
> > >
> > >Dennis
> > >
> > >----- Original Message -----
> > >From: "Bodo Moeller" <[EMAIL PROTECTED]>
> > >To: <[EMAIL PROTECTED]>
> > >Sent: Saturday, March 11, 2000 6:14 AM
> > >Subject: Re: Urgent help! -- failed in SSLv3 read client certificate.
> > >
> > >
> > >> On Fri, Mar 10, 2000 at 11:21:51AM -0800, Dennis Xu wrote:
> > >>
> > >> > I need to accept a client's SSL connection request without client
> > >certificate recieved. I try the following command, I have not
> > >defined -verify parameter. but why the probelm is still there.(same
> > >as -verify)
> > >> > -------------------------------------------------------------
> > >> > D:\OSPSSL>openssl s_server -accept 443 -CApath .\ -CAfile
> > >MyCaCert.pem -cert .\c
> > >> > erts\SerCert.pem -key .\certs\SerKEY.pem -state
> > >>
> > >> > SSL3 alert read:fatal:close notify
> > >> > SSL_accept:failed in SSLv3 read client certificate A
> > >> > ERROR
> > >> > 371:error:140943E8:SSL
> > >routines:SSL3_READ_BYTES:reason(1000):.\ssl\s3_pkt.c:774:
> > >> > SSL alert number 0
> > >> > shutting down SSL
> > >>
> > >> You don't tell us what client software you are testing with, and what
> > >> happens at the client side (e.g. whether an "unknown CA" alert box
> > >> pops up). If you test with s_client, you'll most likely see
> that this
> > >> works.
> > >>
> ______________________________________________________________________
> > >> OpenSSL Project
> http://www.openssl.org
> > >> User Support Mailing List
> [EMAIL PROTECTED]
> > >> Automated List Manager
> [EMAIL PROTECTED]
> > >
> > >______________________________________________________________________
> > >OpenSSL Project http://www.openssl.org
> > >User Support Mailing List [EMAIL PROTECTED]
> > >Automated List Manager [EMAIL PROTECTED]
> > >
> > >
> >
> > ______________________________________________________________________
> > OpenSSL Project http://www.openssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
