Hi,
I have been trying to use openssl and, in particular, "openssl s_client"
to try to diagnose some problems that I have been having working with
some (server and client) certificates that I think were created using an
RSA product (Keon, I think).
The original problem that started all of this is that I have one of
these server certificates, and I installed it in a web server (IIS5). I
then enabled server SSL only. That seemed to work fine, but I need to
also get client authentication working, so I got a client certificate
from the same CA. When I tried to do this, and tried to connect to the
web server with IE, I got a popup window with no client certs being
displayed.
So, I figured that I'd try to use "openssl s_client" to if this CA was
showing up in the list of CA certs that the web server was sending
during the SSL handshake. But, when I tried that, I am getting "No
client certificate CA names sent" (I'm attaching the "openssl s_client
output below).
At first, I thought that something was wrong with my web server
configuration (i.e., that I hadn't enabled client authentication on the
web server), but I found that if I connect to the web server using a
browser from another machine where I have some test client certs from
some other CAs (e.g., Thawte), I DO get some of those other client certs
appearing in the popup window!
Now, I am really puzzled :(...
It seems that client authentication must be enabled on the web server.
Otherwise, when I connect with the browser with the other client certs,
I wouldn't get those client certs appearing in the browser popup
window.
But then, why is "openssl s_client" showing "No client certificate CA
names sent"?
When "openssl s_client" handshakes with the server, is there anything
that it might be sending to the web server that would tell the server
NOT to send the list of CA certs or that would prevent the server from
sending the list of CA certs?
Sorry for the somewhat longish post, but I hope that someone might be
able to help.
Thanks in advance,
Jim
--------------------- Output from 'openssl s_client'
-----------------------
CONNECTED(00000370)
---
Certificate chain
0 s:/CN=testwin2k.foo.com/OU=this is a test OU4/O=this is a test org
4/L=VA/ST=Mytown/C=US
i:/[EMAIL PROTECTED]/C=us/O=ATest1Dept/OU=ATest1Co/CN=ATest1
-----BEGIN CERTIFICATE-----
MIIC7jCCAlegAwIBAgIQaaY1+UT2mCHvi7HJ4bwWmTANBgkqhkiG9w0BAQUFADBe
MRYwFAYJKoZIhvcNAQkBFgdmb29AZm9vMQswCQYDVQQGEwJ1czETMBEGA1UEChMK
.
<snip>
.
gQBUWxQBK0rr143hzP80pkckKXmkmQ8sf2nz1yIZuvKIURrFvKXD/NMQeXbaFs7a
ak+2PKMupfIREI3Q3LrWADGewLxzQIOwJx7gVhU5drFVA6Pwo/SsdtOyITPh/88s
kQP7rK3VPeDkmGUkO/bVFiGqEDu+1QCpQHthTZaVdguVQw==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=testwin2k.foo.com/OU=this is a test OU4/O=this is a test org
4/L=VA/ST=Mytown/C=US
issuer=/[EMAIL PROTECTED]/C=us/O=ATest1Dept/OU=ATest1Co/CN=ATest1
---
No client certificate CA names sent
---
SSL handshake has read 890 bytes and written 330 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
361200003BA83C661ACD5DB039551CBD647D97499C6F5B1A1730DB9596047D84
Session-ID-ctx:
Master-Key:
9733FB592E6B4B14A44F121E0FC40E4A0AFB2CD18C5AB34CAA1A5FE297BB23DE562B6FA2262DF64A65C4CE9D05C469EF
Key-Arg : None
Start Time: 1109630060
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Mon, 28 Feb 2005 22:34:26 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</title></head><body>The parameter is incorrect.
</body></html>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
