Your client is saying that it's failing the certificate verification of the server certificate. It's probably not using the CAfile that you passed to openssl s_client.
-Kyle H On 8/5/2014 12:19 PM, Ted Byers wrote: > I have Perl code, which uses a library that in turn uses openssl for > HTTPS connections. I have been trying to use Wireshark to diagnose > this, but I have yet to find a way to have it tell me what steps in > the SSL handshaking are happening at a given time (client hello, > server hello, &c.). Thus, I am having trouble seeing whether the > problem is in my client not doing something right or the server not > doing something right. I have not yet figured out how to have it > export everything in a capture file in plain text so that I could > copy/paste it in a note like this so you could see for yourself what > is happening. > > I did get openssl s_client to connect properly, and here is the output > from that (sanitized of the server operator's ID): > > ted@linux-jp04:~/Work/Projects/FirstData> openssl s_client -CAfile > server-test.pem -cert client_test.pem -key client_test.key -connect > n.n.n.n:8443 > CONNECTED(00000003) > depth=1 C = LV, ST = Latvia, L = Riga, O = xxxxxxxxxxxxxxxxxx, CN = > server-test, emailAddress = webmas...@xxxxxxxxxxxxxxxxxx.xxx > verify return:1 > depth=0 C = LV, O = FDL, CN = lv-rtps-proxy-test.ne.1dc.com > verify return:1 > --- > Certificate chain > 0 s:/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com > > i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx > 1 > s:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx > > i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx > --- > Server certificate > -----BEGIN CERTIFICATE----- > DELETED > -----END CERTIFICATE----- > subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com > issuer=/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx > --- > Acceptable client certificate CA names > /C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxx/CN=server-test/emailAddress=webmas...@xxxxxxxxxxxxxxxxxx.xxx > /C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com > --- > SSL handshake has read 3690 bytes and written 3700 bytes > --- > New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : EDH-RSA-DES-CBC3-SHA > Session-ID: > 53E0DE54D7D7E928F177883E10447786C15133386DA3F0489796845673C70DEA > Session-ID-ctx: > Master-Key: DELETED > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1407245906 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > closed > ted@linux-jp04:~/Work/Projects/FirstData> > > > Now, here is the output I get from my Perl client (also sanitized): > > $url = https://n.n.n.n:8443/ > $scheme = https > $self->{ssl_set} = 0 > $self->{ca_cert_dir} = . > $self->{ca_cert_file} = server-test.pem > $LWP::VERSION = 6.05 > Setting cert dir and file if available > $self->{ssl_set} = 1 > DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088 > DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected > DEBUG: .../IO/Socket/SSL.pm:528: socket connected > DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started > DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unknown > DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce > timeout=180 > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress > DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL > wants a read first > DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress > DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL > wants a read first > DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress > DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL > wants a read first > DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect > DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968 > DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136 > DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136 > DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n > cn=lv-rtps-proxy-test.ne.1dc.com alt= > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed > > DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt > failed error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > DEBUG: .../IO/Socket/SSL.pm:2537: free ctx 26349088 open=26349088 > DEBUG: .../IO/Socket/SSL.pm:2542: free ctx 26349088 callback > DEBUG: .../IO/Socket/SSL.pm:2549: OK free ctx 26349088 > 2014/08/05 10:03:05> [http client] communication error: 500 Can't > connect to n.n.n.n:8443 (certificate verify failed) > 500 Can't connect to n.n.n.n:8443 (certificate verify failed) > ted@linux-jp04:~/Work/Projects/FirstData> > > > The error "SSL routines:SSL3_GET_SERVER_CERTIFICATE" seems self > explanatory, but what I can't figure out is why communication happens > properly when I use openssl s_client, with the CA authority cert and > the client side cert and key, but I can't successfully get the server > cert, even though my perl code provides the same information, > ultimately to openssl library code. > > I can post my Perl code, if there is someone in this forum who knows > Perl, and especially the libraries used to handle HTTPS communications > (and how to get better debugging information from them - I have > IO::SOCKET::SSL DEBUG variable set to 3, which is the highest debug > level available, providing the most information, available, according > to the docs). > > I would appreciate advice on the best way of using Wireshark to > provide useful, actionable information; or advice on how to provide > the Wireshark logs to you in a way that is useful to you in helping me > debug this. I have the CA root cert, used to sign both the server's > cert and the client cert, and obviously, I have both the client's key > and cert, if any of these files can be used to help Wireshark provide > more useful information; but I have no idea how to tell Wireshark to > use them, if in fact using them would be useful (I started working > with Wireshark this past Friday). > > Thanks > > Ted > >
smime.p7s
Description: S/MIME Cryptographic Signature