On Tue, Dec 26, 2000 at 11:15:36AM -0500, Rich Salz wrote:
> [Tue Dec 26 11:11:35 2000] [error] mod_ssl: SSL handshake failed
> (server os390.caveosystems.com:8443, client 10.139.16.1) (OpenSSL
> library error follows)
> [Tue Dec 26 11:11:35 2000] [error] OpenSSL: error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject
> CN in certificate not server name or identical to CA!?]
Rich,
I don't know if this is it, but your CA cert doesn't (seem to)
contain an X.509v3 Basic Constraint that says "CA: True".
Here's what M2Crypto's CA cert (generated by CA.pl) says:
/usr/local/home/ngps/prog/m2/demo/ssl:$ python
Python 2.0 (#4, Oct 18 2000, 23:09:30)
[GCC 2.95.2 19991024 (release)] on freebsd4
Type "copyright", "credits" or "license" for more information.
>>> from M2Crypto import X509
>>> c = X509.load_cert('ca.pem')
>>> print c.as_text()
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=SG, O=M2Crypto, OU=M2Crypto CA, CN=M2Crypto Certificate
[EMAIL PROTECTED]
Validity
Not Before: Sep 10 08:58:35 2000 GMT
Not After : Sep 10 08:58:35 2003 GMT
Subject: C=SG, O=M2Crypto, OU=M2Crypto CA, CN=M2Crypto Certificate
[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
[...]
X509v3 extensions:
X509v3 Subject Key Identifier:
FB:87:23:69:EB:9C:3A:93:15:E5:C5:BF:29:51:4F:FE:ED:28:38:01
X509v3 Authority Key Identifier:
keyid:FB:87:23:69:EB:9C:3A:93:15:E5:C5:BF:29:51:4F:FE:ED:28:38:01
DirName:/C=SG/O=M2Crypto/OU=M2Crypto CA/CN=M2Crypto Certificate
Master/Email=ngps@post1
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
[...]
>>>
Cheers.
--
Ng Pheng Siong <[EMAIL PROTECTED]> * http://www.post1.com/home/ngps
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
