I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server.
Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent from the docs for the s_client command, –cert option says: -cert certname The certificate to use, if one is requested by the server. The default is not to use a certificate. My guess from this is that this command is referring to the CLIENT SSL certificate - no? If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate. The client certificate is also signed by the same CA self-signed certificate. Apache error logs give me this: [Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request Which is about as useful as the openssl docs are.I am also seeing this in openssl’s s_client output:verify error:num=19:self signed certificate in certificate chainFrom what I think I understand, this should not be a showstopper problem as all root CA certs would naturally be self-signed no?Full output of this operation with the –showcerts command is attached for reference.I have read through many forum examples of how to do this and it seems simple enough but then when it doesn’t work, figuring out what things MEAN and how to address what is wrong proves to be be very difficult indeed.
httpd-ssl.conf
Description: Binary data
CONNECTED(00000190) --- Certificate chain 0 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA -----BEGIN CERTIFICATE----- MIID2zCCAsOgAwIBAgIBCjANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJLWTEV MBMGA1UECBMMR3JhbmQgQ2F5bWFuMRQwEgYDVQQHEwtHZW9yZ2UgVG93bjEQMA4G A1UEChMHQ2FzaFdpejEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD0Nh c2hXaXogUm9vdCBDQTAeFw0xMjExMTMxNzI5NDBaFw0yMjExMTExNzI5NDBaMGwx CzAJBgNVBAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xEDAOBgNVBAoTB0Nh c2hXaXoxFDASBgNVBAsTC0RldmVsb3BtZW50MR4wHAYDVQQDExV3d3cucGF3bm1h c3RlcnByby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTp1dY GOY2ew6O7CbHvokVMSYNYv/uBghjeO3hP2FVXQSCfPWk4NpCh1ve8vu9kUgZ6Ezh slTSn7FM5RlG3NoOx1XnVkJNQ30cRX7oi01l1vwXHPvxn+dq0gJzGofamSYv6Hkm X+zhqhiK37GFmHG5gVZVKg84fEOV10WI+9j6SuOoVg646Rsu91Q3ZYW+v08ucmrC ZfoeuxXwZ/6kJkn8PkRb0RAgy20UMkYTPj7dgC5HkVlDdldJ1+IxegNGG0pMM6SW E6J08mAOs4t2wZ+oybtQZ4+2aeKylMUb/EEDBkSh+bab9k4fe48cmBxj4mnumajx b5pkm3d8HXOk1N5nAgMBAAGjeDB2MAkGA1UdEwQCMAAwHQYDVR0OBBYEFL5T2NTf xfmf3exS2OZB+t8ghcZ/MB8GA1UdIwQYMBaAFFRJfotvTu3PmEaV9+qJf95MmP1e MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBkAwCQYDVR0RBAIwADANBgkq hkiG9w0BAQQFAAOCAQEAXlG4az+P/JrtNVgLux67FMQomimcppYVqkPS/HgERZvp VUhTxWClKqC+wQ4RS90VtjcMGQs7iPL5D+563u0CudBaXz3QK7oVInGLAqEIEhfa Si/S6tKA8bxeujKY5GnppRfV9DcTYIjX1eCLx+n8neI9gwiaKgXV8XLIQoE8g/r6 3Dsfn/uLatQZM7a+V8U/JtF/fGHP81M1D2aqG2JmSayZ9gMgwPAPqI3OdGRsCDqj zTI3z6XomblD1cUdEepMCxnhRHsGVaVXOY0ubM1zWB3b92pVDsKV8TwAlzeijGE1 vAVRptr58jAQXVIN0M3HzmtneHulvOP7UFu2Ozm4OQ== -----END CERTIFICATE----- 1 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA -----BEGIN CERTIFICATE----- MIID2zCCAsOgAwIBAgIBCjANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJLWTEV MBMGA1UECBMMR3JhbmQgQ2F5bWFuMRQwEgYDVQQHEwtHZW9yZ2UgVG93bjEQMA4G A1UEChMHQ2FzaFdpejEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD0Nh c2hXaXogUm9vdCBDQTAeFw0xMjExMTMxNzI5NDBaFw0yMjExMTExNzI5NDBaMGwx CzAJBgNVBAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xEDAOBgNVBAoTB0Nh c2hXaXoxFDASBgNVBAsTC0RldmVsb3BtZW50MR4wHAYDVQQDExV3d3cucGF3bm1h c3RlcnByby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTp1dY GOY2ew6O7CbHvokVMSYNYv/uBghjeO3hP2FVXQSCfPWk4NpCh1ve8vu9kUgZ6Ezh slTSn7FM5RlG3NoOx1XnVkJNQ30cRX7oi01l1vwXHPvxn+dq0gJzGofamSYv6Hkm X+zhqhiK37GFmHG5gVZVKg84fEOV10WI+9j6SuOoVg646Rsu91Q3ZYW+v08ucmrC ZfoeuxXwZ/6kJkn8PkRb0RAgy20UMkYTPj7dgC5HkVlDdldJ1+IxegNGG0pMM6SW E6J08mAOs4t2wZ+oybtQZ4+2aeKylMUb/EEDBkSh+bab9k4fe48cmBxj4mnumajx b5pkm3d8HXOk1N5nAgMBAAGjeDB2MAkGA1UdEwQCMAAwHQYDVR0OBBYEFL5T2NTf xfmf3exS2OZB+t8ghcZ/MB8GA1UdIwQYMBaAFFRJfotvTu3PmEaV9+qJf95MmP1e MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBkAwCQYDVR0RBAIwADANBgkq hkiG9w0BAQQFAAOCAQEAXlG4az+P/JrtNVgLux67FMQomimcppYVqkPS/HgERZvp VUhTxWClKqC+wQ4RS90VtjcMGQs7iPL5D+563u0CudBaXz3QK7oVInGLAqEIEhfa Si/S6tKA8bxeujKY5GnppRfV9DcTYIjX1eCLx+n8neI9gwiaKgXV8XLIQoE8g/r6 3Dsfn/uLatQZM7a+V8U/JtF/fGHP81M1D2aqG2JmSayZ9gMgwPAPqI3OdGRsCDqj zTI3z6XomblD1cUdEepMCxnhRHsGVaVXOY0ubM1zWB3b92pVDsKV8TwAlzeijGE1 vAVRptr58jAQXVIN0M3HzmtneHulvOP7UFu2Ozm4OQ== -----END CERTIFICATE----- 2 s:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA -----BEGIN CERTIFICATE----- MIIEiTCCA3GgAwIBAgIJALJPy4qRrG2uMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV BAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xFDASBgNVBAcTC0dlb3JnZSBU b3duMRAwDgYDVQQKEwdDYXNoV2l6MRQwEgYDVQQLEwtEZXZlbG9wbWVudDEYMBYG A1UEAxMPQ2FzaFdpeiBSb290IENBMB4XDTEyMTExMzE3MjkzNVoXDTEyMTIxMzE3 MjkzNVowfDELMAkGA1UEBhMCS1kxFTATBgNVBAgTDEdyYW5kIENheW1hbjEUMBIG A1UEBxMLR2VvcmdlIFRvd24xEDAOBgNVBAoTB0Nhc2hXaXoxFDASBgNVBAsTC0Rl dmVsb3BtZW50MRgwFgYDVQQDEw9DYXNoV2l6IFJvb3QgQ0EwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQCrxuoK9JQgo0tpkX1cDC6QgtfMcsC8PtvVlGfX bjT8sb3wzY/IXvhJ4D0tUD4Sjr+naMjdKI5zZd1jKQe/iUGh6hRFwlEeQ3FgisTf csdNOJ0K95CDkdu+j32sAPMkvb24zCr0bKxPe83xpLBRA0OsXqD8AOg+G7jgItNy LLwedtjvfmgVv/aAo+Yf6azYb03LCwljbCDJQIzR2ne2ky1RqYF7iJuErmgovXnb 8MP4rFo7rhwymGRdEMtecYdf2rpJL/Fd5sHJC3gpSqsB9EuKA/dN3gbFIWQsOtzK BxKsakcD6tk9VU2kwTyRDXRP7gSJJamFqAqagz/pdSKHZ6P5AgMBAAGjggEMMIIB CDAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRUSX6Lb07tz5hGlffqiX/eTJj9XjCB rwYDVR0jBIGnMIGkgBRUSX6Lb07tz5hGlffqiX/eTJj9XqGBgKR+MHwxCzAJBgNV BAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xFDASBgNVBAcTC0dlb3JnZSBU b3duMRAwDgYDVQQKEwdDYXNoV2l6MRQwEgYDVQQLEwtEZXZlbG9wbWVudDEYMBYG A1UEAxMPQ2FzaFdpeiBSb290IENBggkAsk/LipGsba4wEQYJYIZIAYb4QgEBBAQD AgIEMAkGA1UdEQQCMAAwCQYDVR0SBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAjFf6 AAAPFESUVer4IZ6c0+ZwwvNIXHSrHpCGeWJvpjmgfpag8U18xIcvYbxGxx1cAup9 vSZWHH8LXq9UC+CLrLlO+sjcPtOKqu/gfgqMLasAXOsR+u8iTAjmruVVhHhMTsuR kl6TwxYFeoBsW7v27vMHAxrOeZficdVfD9iH2nWfPC1yJ89NOv9gSD/kxo4Mf8Ls Oj4c1zgNKJlksggO6/b/Vn4E6wDEuO1aoPz83cxDV4oRgKXH/0IEg0rM6qurBDMT ZZ0uYIvu3BTDLc7rbVx7+byhu6lxcpCXAWbok7leuWqU/OW6eLKeWOq9N2qDcrIc 5uQP5sKCyTkQRpEyPA== -----END CERTIFICATE----- --- Server certificate subject=/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com issuer=/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA --- No client certificate CA names sent --- SSL handshake has read 4031 bytes and written 408 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: C5FADB72C74AA2D8B2E20951D6417DF6DF13CEC026A4B070D985C9DCB27EA9BD Session-ID-ctx: Master-Key: 639DBACD753E80836F612AB2F8DD8C234C5A2F9507D63941F113D2D22AFE174E5690C4820AA9A940D9B492E72BFA75A7 Key-Arg : None PSK identity: None PSK identity hint: None TLS session ticket: 0000 - 15 56 e4 83 50 ce 74 d3-20 5a 96 c2 8d 3f cf 80 .V..P.t. Z...?.. 0010 - 4f 36 c3 53 31 72 53 b9-8c 64 8e 7b 6d 74 1a 7c O6.S1rS..d.{mt.| 0020 - 74 58 51 f5 dc ef 6f 2e-97 55 3d e5 13 fe e1 50 tXQ...o..U=....P 0030 - ce c2 ee e8 ab 56 0f c3-46 b2 55 15 1a 44 10 2e .....V..F.U..D.. 0040 - e0 7d 18 53 00 0f 29 6c-4b d4 04 d3 bf c6 c6 fd .}.S..)lK....... 0050 - 5d 3e 49 e3 82 20 a2 4f-b1 92 a2 1c c3 e4 97 f4 ]>I.. .O........ 0060 - 29 a4 1b e6 1b f1 cc 2a-37 88 51 ec 14 2a f5 c7 )......*7.Q..*.. 0070 - c6 19 cd 28 e7 b3 a2 b1-f5 e9 ac 0b 48 28 e7 68 ...(........H(.h 0080 - bd 93 86 1d 01 ce 44 c6-7d 52 d0 da 8e 8e fc 5e ......D.}R.....^ 0090 - 52 ec 35 d1 8e 31 bc c1-6f 55 e9 2c bf 13 b7 1f R.5..1..oU.,.... 00a0 - aa 53 aa 9c 97 bb ce 1a-89 e9 30 4a cc 7d 23 d7 .S........0J.}#. 00b0 - 51 80 54 86 67 47 a5 ce-50 2b 12 11 72 4c 1a 40 Q.T.gG..P+..rL.@ Start Time: 1352831126 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Object not found!</title> <link rev="made" href="mailto:webmas...@cashwiz.com" /> <style type="text/css"><!--/*--><![CDATA[/*><!--*/ body { color: #000000; background-color: #FFFFFF; } a:link { color: #0000CC; } p, address {margin-left: 3em;} span {font-size: smaller;} /*]]>*/--></style> </head> <body> <h1>Object not found!</h1> <p> The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again. </p> <p> If you think this is a server error, please contact the <a href="mailto:webmas...@cashwiz.com">webmaster</a>. </p> <h2>Error 404</h2> <address> <a href="/">www.pawnmasterpro.com</a><br /> <span>11/13/12 13:26:18<br /> Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1</span> </address> </body> </html> closed