RE: SSL_connect fails with SSL_ERROR_SSL

Tue, 31 Jan 2006 02:51:48 -0800

Samy,
 
Thanks for your reply. On the server side (Java), I have explictly set client authentication to true.
 
ks.load(new FileInputStream(KEYSTORE_FILE), passphrase);
 
kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, null);
ssf = ctx.getServerSocketFactory();
 
sSocket = (SSLServerSocket)ssf.createServerSocket(tcpPort, 10);    //Creation of Server Socket

sSocket.setNeedClientAuth(true);    //Needs successful client authentication
 
<snip>
So to verify the authenticity of the certifiacte you shud have the CA(who signed the cert)in your list of "trusted CAs ".
</snip>
That CA cert is in the keystore file already of the server side.
 
 
Also, I am not using .PEM certificates, I am using what the keytool created, got the CSR signed.
 
 
 
 -----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Samy Thiyagarajan
Sent: Tuesday, January 31, 2006 4:03 PM
To: openssl-users@openssl.org
Subject: Re: SSL_connect fails with SSL_ERROR_SSL







Dear all,

Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2
certs - one for client and the other for the server. I have checked that
these certificates are ok.

I am attempting to write a SSL client-server program.

SSL Server:- Java. It has a keystore, which contains the server cert and the
CA cert.

SSL Client: C. In the program, using appropraite openssl calls, I have added
the cleint certificate, the private key and the CA cert to the context.
Please see the code snippet.

...
Initialization is successful, but the handshake fails. We first create TCP
socket and then "connect" as shown below. Then, we call SSL_connect, which
fails with SSL_ERROR_SSL. At this point, the Java server outputs
SSLException "No Trusted certificate".

>> If you want client authentication, you need to explicitly state this at the server side(ie., you should ask
the client to send the certificate.) So to verify the authenticity of the certifiacte you shud have the CA( who signed the cert)in your list of " trusted CAs ".

I believe you need the following function..
SSL_CTX_set_verify()

I somewhere found that java does not support .pem format keystore( but im not sure). If I am right and if you are using .pem that might also be a reason.

Hope this helps,
Samy











                sd = socket(AF_INET, SOCK_STREAM, 0);
                int c = connect(sd, (struct sockaddr*) &host_id , sizeof(host_id));

// By now, the SSL context is initialized and the TCP sockets are created.
// Now, SSLize the TCP sockets.

                ssl = SSL_new(ctx);                                                   // create SSL objects from the SSL context.
                r = SSL_set_fd (ssl, sd);                                  // Associate the network connection with the SSL
object.

                int err = SSL_connect (ssl);                 // Initiate the SSL handshake *********FAILS
HERE ************
                if (err <= 0)
                {
                                 int errcode = SSL_get_error(ssl, err);
                                 switch(errcode)
                                 {
                                                  /* other cases */
                                                  case SSL_ERROR_SSL: LogMesg(logger, LOGFATAL, "SSL connect: Protocol
Error."); break;
                                 }
                }


Can anyone please tell me what is happenning?


Best regards,
Ambarish.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to