AMEN!
Why is it easier to answer dumb question after dumb question here rather than to document the darned product once? (Never mind the cumulative labor of all the programmers trying to figure out and debug the same problems again and again and again, all over the world.) Consider http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf. Doesn’t *some* of the responsibility for these (severe and scary!) problems fall on the lack of clear documentation? It’s a GREAT product and I love it and am grateful but why after years and years do the man pages still say “under construction”? Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Sanford Staab Sent: Tuesday, November 13, 2012 10:35 AM To: openssl-users@openssl.org Subject: I can't believe how much this sucks I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link <http://www.wolmarans.com/drupal/?q=node/22> for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent from the docs for the s_client command, –cert option says: -cert certname The certificate to use, if one is requested by the server. The default is not to use a certificate. My guess from this is that this command is referring to the CLIENT SSL certificate - no? If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate. The client certificate is also signed by the same CA self-signed certificate. Apache error logs give me this: [Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request Which is about as useful as the openssl docs are. I am also seeing this in openssl’s s_client output: verify error:num=19:self signed certificate in certificate chain >From what I think I understand, this should not be a showstopper problem as >all root CA certs would naturally be self-signed no? Full output of this operation with the –showcerts command is attached for reference. I have read through many forum examples of how to do this and it seems simple enough but then when it doesn’t work, figuring out what things MEAN and how to address what is wrong proves to be be very difficult indeed.
