On Tue, Nov 13, 2012 at 6:34 PM, Sanford Staab <sanfo...@gmail.com> wrote: > I have been struggling with openssl for a few months now writing batch > scripts on windows trying to make a .net web client with a client > certificate work with 2-way ssl against an apache web server. > > Do you guys just want to continue to answer questions on this alias and not > FIX the docs somewhat over time? I could go into a litany of how much > information is just missing from the docs with INCOMPLETE everywhere. (see > this link for one of the 900k+ hits on a google search of > “openssl+docs+suck” for how much hell you guys are putting people through > trying to figure out this tool) > > openssl is used all over the world by tons of people (so I feel dumb having > problems here – but I know from Google I am not alone.) but it is just > unbelievable to me that the docs remain so terse and useless for so many > years. > > I have sent email to this alias previously asking how I can help with this. > It seems to me there should be an openssl docs forum where content from this > eventually finds its way into the online docs themselves. > > A tool is only as good as people are able to use it. > > So let me get specific here – one simple specific question (of many that I > have) that has me clueless: > > The command of: > openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert > ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass > file:ssl\keys\Client_1_pwd.txt > > results in output containing: > No client certificate CA names sent
This seems straightforward: the client expects a list of acceptable CAs for the client certificate it should send. It got none. I suspect the reason is that you haven't required client verification in the context in which Apache is answering - it seems to be only enabled for certain URLs... > > from the docs for the s_client command, –cert option says: > -cert certname > > The certificate to use, if one is requested by the server. The default is > not to use a certificate. > > My guess from this is that this command is referring to the CLIENT SSL > certificate - no? If my assumption is correct, then why am I getting this > error? Or is this a notification of something normal and I should be > looking elsewhere? > > I have checked the Apache httpd-ssl.cnf file I am using and verified that > all the certificate related parts are filled in and I have verified the > integrity of all the certificates referenced by it. > I have been able to do straight one-way SSL with the server as well with > both IE and Chrome browsers. Two-way SSL fails with the server logs > indicating that the client “refused” the connection. > I am using a self-signed CA which was used to sign the server > certificate______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org