At 06:54 AM 10/5/2006, Marek Marcola wrote:
Hello,
> > > >>Trying to test certs before moving on to LDAP tests. The certs were
> > > >>obtained from a CA running on a MS box. Here's what happens:
> > > >>
> > > >>openssl s_client -connect adtest:636 -cert foo.pem "-CAfile"
homeca_ce
> > > >>rt_chain.p7b
> >
> >The above command is the problem. You can't use a PKCS#7 (.p7b) file
directly
> >in the -CAfile command.
> >
> > >
> > > openssl pkcs7 -inform der -in homeca_cert_chain.p7b -noout -print_certs
> > > -text
> >
> >Use the above command to say the certificate to a PEM file. For exampl
> >home_ca.pem and use that file for the -CAfile.
>
> It doesn't change anything. Same error.
>
> openssl s_client -connect adtest:636 "-CAfile" homeca_cert_chain.pem
> CONNECTED(00000003)
> depth=0 /CN=adtest.altdomain2000.psccos.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /CN=adtest.altdomain2000.psccos.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /CN=adtest.altdomain2000.psccos.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
> 0 s:/CN=adtest.altdomain2000.psccos.com
> i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
To check if you have proper CA cert in homeca_cert_chain.pem execute:
$ openssl x509 -in homeca_cert_chain.pem -noout -subject -issuer
output should be something like:
subject= /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
issuer= /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
(provided that you have one certificate in homeca_cert_chain.pem)
If you do not have such certificate then you must download
proper CA cert.
OK, I got a new copy of the cert and converted it to PEM format from DER
format. Now I get:
$ openssl s_client -connect adtest:636 "-CAfile" homeca_cert.pem
CONNECTED(00000003)
depth=1 /C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
verify return:1
depth=0 /CN=adtest.altdomain2000.psccos.com
verify return:1
---
Certificate chain
0 s:/CN=adtest.altdomain2000.psccos.com
i:/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFijCCBTSgAwIBAgIKYQMaYgAAAAAAAjANBgkqhkiG9w0BAQUFADBhMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ08xGTAXBgNVBAcTEENvbG9yYWRvIFNwcmluZ3Mx
GTAXBgNVBAoTEFByb2Nlc3MgU29mdHdhcmUxDzANBgNVBAMTBmhvbWVjYTAeFw0w
NjA5MTQxNjU3NDdaFw0wODA5MTQxNzA3NDdaMCoxKDAmBgNVBAMTH2FkdGVzdC5h
bHRkb21haW4yMDAwLnBzY2Nvcy5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAL7nVRO9pvigvqim4cqetHJu56PQlPw2MSJe2/SYcxrnA2SsdSvbBAwVTEPZ
KUqGOyGfXDV02S07MX9GR5X66YS1qkGfBzeSbX7Yx1ti9+J/PODkyZh2vwlRtTHj
PQzZ0X6p+Z5eevDxkE4lJ0jWitvhwlZF3H3X3AsBsjltqnQpAgMBAAGjggO/MIID
uzALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMC8G
CSsGAQQBgjcUAgQiHiAARABvAG0AYQBpAG4AQwBvAG4AdAByAG8AbABsAGUAcjAd
BgNVHQ4EFgQUIdHmJF8ClHMKh5ciCj+UrQtuwZkwgZoGA1UdIwSBkjCBj4AUovZy
djchr9mywKUw9EvkaSvBoDuhZaRjMGExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
TzEZMBcGA1UEBxMQQ29sb3JhZG8gU3ByaW5nczEZMBcGA1UEChMQUHJvY2VzcyBT
b2Z0d2FyZTEPMA0GA1UEAxMGaG9tZWNhghBRMq+GTAdMg0PtqnzeHGUHMIIBGQYD
VR0fBIIBEDCCAQwwgcWggcKggb+GgbxsZGFwOi8vL0NOPWhvbWVjYSxDTj1hZHRl
c3QsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz
LENOPUNvbmZpZ3VyYXRpb24sREM9YWx0ZG9tYWluMjAwMCxEQz1wc2Njb3MsREM9
Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RjbGFzcz1j
UkxEaXN0cmlidXRpb25Qb2ludDBCoECgPoY8aHR0cDovL2FkdGVzdC5hbHRkb21h
aW4yMDAwLnBzY2Nvcy5jb20vQ2VydEVucm9sbC9ob21lY2EuY3JsMIIBNAYIKwYB
BQUHAQEEggEmMIIBIjCBtQYIKwYBBQUHMAKGgahsZGFwOi8vL0NOPWhvbWVjYSxD
Tj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1hbHRkb21haW4yMDAwLERDPXBzY2NvcyxEQz1jb20/
Y0FDZXJ0aWZpY2F0ZT9iYXNlP29iamVjdGNsYXNzPWNlcnRpZmljYXRpb25BdXRo
b3JpdHkwaAYIKwYBBQUHMAKGXGh0dHA6Ly9hZHRlc3QuYWx0ZG9tYWluMjAwMC5w
c2Njb3MuY29tL0NlcnRFbnJvbGwvYWR0ZXN0LmFsdGRvbWFpbjIwMDAucHNjY29z
LmNvbV9ob21lY2EuY3J0MEsGA1UdEQREMEKgHwYJKwYBBAGCNxkBoBIEENuNPV9r
O/hNswSDqOAydGmCH2FkdGVzdC5hbHRkb21haW4yMDAwLnBzY2Nvcy5jb20wDQYJ
KoZIhvcNAQEFBQADQQBBwxlOIAYrY7CjsR09PEgdDhGDdcky2VYUQ6sYf8Bict28
jezE705z/+I9heVmrNQESfHPvSEk/bJ/Ge3vG+S4
-----END CERTIFICATE-----
subject=/CN=adtest.altdomain2000.psccos.com
issuer=/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority -
G2/OU
=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority -
G2/OU
=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Freemail
CA/[EMAIL PROTECTED]
m
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Premium CA/[EMAIL PROTECTED]
/C=US/O=First Data Digital Certificates Inc./CN=First Data Digital Certificates
Inc. Certification Authority
/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services
Division/CN=Thawte Personal Basic CA/[EMAIL PROTECTED]
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification Authority
/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority -
G2/OU
=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=GTE Corporation/CN=GTE CyberTrust Root
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Glob
al Root
/OU=Copyright (c) 1997 Microsoft Corp./OU=Microsoft
Corporation/CN=Microsoft Roo
t Authority
/C=US/ST=CO/L=Colorado Springs/O=Process Software/CN=homeca
/C=US/O=VeriSign, Inc./OU=Class 2 Public Primary Certification Authority -
G2/OU
=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust
Root
---
SSL handshake has read 3950 bytes and written 342 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
D5130000CB784A2ADA235D4E8B56620832284666E7CAA6DDFE31508C4CA19D21
Session-ID-ctx:
Master-Key:
58988393B27BD52B110F77F8F97F1F63283FDEC7FBCA89F73D25BA0B5C792DC1
38322F81A4418B3A0B9BBBC2078FF502
Key-Arg : None
Start Time: 1160053953
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
bad select 38
Can I assume this is working OK now? This is connecting to an LDAP port on
a system.
------
+-------------------------------+----------------------------------------+
| Dan O'Reilly | "There are 10 types of people in this |
| Principal Engineer | world: those who understand binary |
| Process Software | and those who don't." |
| http://www.process.com | |
+-------------------------------+----------------------------------------+
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
