Hi people, in a very clean and simple scenario, via WEB UI, I asked OpenXPKI to generate certificates.
My understanding until now is that somehow the server is not offering any cipher the client can work with, but I don't know what should I do to make it work. 1 - Working Scenario: Requesting a RSA Certificate What I do: tail -f /var/log/openxpki/*.log I asked OpenXPKI to generate a rsa certificate (testrsa01.crt) selecting these option on UI: Certificate Profile: TLS/Web Server - Subject Style: Default profile style Generate key on PKI Key Algorithm: RSA - Key Encryption Method: AES 256bit - Key length: 2048 I approved the request and simulated a web server with: openssl s_server -cert testrsa01.crt -key testrsa01.pem -www -accept 4443 and connected to it with: openssl s_client -connect 172.31.1.9:4443 - getting as expected: CONNECTED(00000003) depth=0 C = BR, ST = Santa Catarina, L = Schroeder, O = MySampleINC, OU = MySampleINCUnit, CN = testrsa01.mysampleinc.inc verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = BR, ST = Santa Catarina, L = Schroeder, O = MySampleINC, OU = MySampleINCUnit, CN = testrsa01.mysampleinc.inc verify error:num=27:certificate not trusted verify return:1 depth=0 C = BR, ST = Santa Catarina, L = Schroeder, O = MySampleINC, OU = MySampleINCUnit, CN = testrsa01.mysampleinc.inc verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=BR/ST=Santa Catarina/L=Schroeder/O=MySampleINC/OU=MySampleINCUnit/CN=testrsa01.mysampleinc.inc i:/C=BR/ST=Santa Catarina/L=Schroeder/O=MySampleINC/OU=MySampleINCUnit/CN=MySampleINCSignerRSA/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIIjDCCBnSgAwIBAgIKAf8LMc+tV+yStDANBgkqhkiG9w0BAQsFADCBuTELMAkG A1UEBhMCQlIxFzAVBgNVBAgTDlNhbnRhIENhdGFyaW5hMRIwEAYDVQQHEwlTY2hy b2VkZXIxFDASBgNVBAoTC015U2FtcGxlSU5DMRgwFgYDVQQLEw9NeVNhbXBsZUlO Q1VuaXQxHTAbBgNVBAMTFE15U2FtcGxlSU5DU2lnbmVyUlNBMS4wLAYJKoZIhvcN AQkBFh9NeVNhbXBsZUlOQ3Jvb3RAbXlzYW1wbGVpbmMuaW5jMB4XDTE5MDgwNTEz NDQwOFoXDTIwMDIwNTEzNDQwOFowgY4xCzAJBgNVBAYTAkJSMRcwFQYDVQQIDA5T YW50YSBDYXRhcmluYTESMBAGA1UEBwwJU2Nocm9lZGVyMRQwEgYDVQQKDAtNeVNh bXBsZUlOQzEYMBYGA1UECwwPTXlTYW1wbGVJTkNVbml0MSIwIAYDVQQDDBl0ZXN0 cnNhMDEubXlzYW1wbGVpbmMuaW5jMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAvuXT/AHu7/Oll7L4Glvn7Ab6EESZY01p+CQ+HBJXAHig+f/t/CnGIaCo moI7K6AMz7rrMNlp6AbnB8bt0olnNXRo2xsjAo97G+/1YmUr43jeeiEyPj90i7P+ 4WQHTgxRceaX+VrpFvnRN+qTvPU22pP+WWydh+GqtKOnWBgrRzr/sL1qjwB4oM+M ipEJamdbXQXm+4CugZaiVhIF3rYk/mP5bDmI6vUhjm9dwYmoWhJjCpAPhrFi9OgD gIrNLq8lw4+Rzlu2pp+rwwcON3WE6MhoW71jt+TSFob69vjYBMmsK1N0+b4kxFxj G4bmVaNVP4R6opBpcTeouC/MsslFVwIDAQABo4IDvTCCA7kwaQYIKwYBBQUHAQEE XTBbMDEGCCsGAQUFBzAChiVodHRwOi8vY3JsLm15c2FtcGxlaW5jLmluYy9jYWNl cnQuY3J0MCYGCCsGAQUFBzABhhpodHRwOi8vY3JsLm15c2FtcGxlaW5jLmluYzCB 6AYDVR0jBIHgMIHdgBSuwk7apJzShnYHLPC8oOZYNtjfSKGBuqSBtzCBtDELMAkG A1UEBhMCQlIxFzAVBgNVBAgTDlNhbnRhIENhdGFyaW5hMRIwEAYDVQQHEwlTY2hy b2VkZXIxFDASBgNVBAoTC015U2FtcGxlSU5DMRgwFgYDVQQLEw9NeVNhbXBsZUlO Q1VuaXQxGDAWBgNVBAMTD015U2FtcGxlSU5DUk9PVDEuMCwGCSqGSIb3DQEJARYf TXlTYW1wbGVJTkNyb290QG15c2FtcGxlaW5jLmluY4IIJe7Wg+ohtkowDAYDVR0T AQH/BAIwADA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLm15c2FtcGxlaW5j LmluYy9teXNhbXBsZWluYy5jcmwwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwCQYD VR0SBAIwADAOBgNVHQ8BAf8EBAMCBaAwOQYJYIZIAYb4QgEEBCwWKmh0dHA6Ly9j cmwubXlzYW1wbGVpbmMuaW5jL215c2FtcGxlaW5jLmNybDA5BglghkgBhvhCAQME LBYqaHR0cDovL2NybC5teXNhbXBsZWluYy5pbmMvbXlzYW1wbGVpbmMuY3JsMGsG CWCGSAGG+EIBDQReFlxUaGlzIGlzIGEgZ2VuZXJpYyBjZXJ0aWZpY2F0ZS4gR2Vu ZXJhdGVkIHdpdGggT3BlblhQS0kgdHJ1c3RjZW50ZXIgc29mdHdhcmUgZm9yIE15 U2FtcGxlSU5DLjCBqQYDVR0gBIGhMIGeMAUGAyoDBTCBlAYDKgMEMIGMMCgGCCsG AQUFBwIBFhxodHRwOi8vb3Blbnhwa2kub3JnL2Nwcy5odG1sMCgGCCsGAQUFBwIB FhxodHRwOi8vb3Blbnhwa2kubmV0L2Nwcy5odG1sMDYGCCsGAQUFBwICMCoaKFRo aXMgaXMgYSBjb21tZW50IGZvciBwb2xpY3kgb2lkIDEuMi4zLjQwNQYDVR0RBC4w LIIJbG9jYWxob3N0ghl0ZXN0cnNhMDEubXlzYW1wbGVpbmMuaW5jhwR/AAABMB0G A1UdDgQWBBQYJ8WEiSKLxn6NEdC60JnqnfFf8jANBgkqhkiG9w0BAQsFAAOCAgEA n9jXmCF69cX269Lq4XWSxExSPwCduHJVgQyEXgQ6jvrTonlnbMbgZzWSi6qM73tZ 1SIM1A0QsMBjxu6xZFQBpQSRWEbFW+r/jWt0FDqTsXwtuHm3Z+Ne7fAzhxWq9yGA TEb3xCVA51rkjnBN3EivXkpHMaV9JjwebygwbbUBJbhw3IfXlHbdFXXBgHazbekL 0Ja4NJkTJkko4GiSwqY/OsSCb3pOXqMyM42sed75giiHvG7heLfVLbweeewqmT9C e1AbZGdEBt5yw5BGlnpBrQjR0xOzYnP52CgfZf2aPW9KbX4ADFqI8lkEJ48BfmaX 5OXDErxUKeUKg5uZx5nkM6aopmYSOMgD09h+xM07iFf4isCbsquACt+qLRMe6zRR USW+nNNWezK/05NaWDw2IUWYMRM/ToLuOtxSXcDmZx51OpDY5+VMEqgSOwi8pRPB ThcnmH9V+zQWyEKs8HYGx48XEwjAt7GCN5h/HQ//LSP1uqoRkUBjpIz5lBBxdtI3 ZTDyyRFIjXHd24JKgvdEloRaZ+kJZjyAlRnyZ4/B2IjzYGCpeVggZcqHQrZ8qaAm voFexfYAK3RTlTl4YkPdtwZTUJ4zObvGDPugvQvk2o1U6f1exAlJErdOl+MbjzvG IHHvgquObKhkA0IBIz3Mf/iodvafLt1WxFi5BrEHEV8= -----END CERTIFICATE----- subject=/C=BR/ST=Santa Catarina/L=Schroeder/O=MySampleINC/OU=MySampleINCUnit/CN=testrsa01.mysampleinc.inc issuer=/C=BR/ST=Santa Catarina/L=Schroeder/O=MySampleINC/OU=MySampleINCUnit/CN=MySampleINCSignerRSA/[email protected] --- No client certificate CA names sent --- SSL handshake has read 2851 bytes and written 415 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 28604CDA8EAE5F55411B200D5F4D58C4CCEF6AF89256774E4A00F1D3830C298C Session-ID-ctx: Master-Key: 44D9F1B6D2D452FAAD41FE708547E0BFB38C51A5CA6FF1885DB2F09CD378C77D23198B53C2B11C14A0064A01EA4D965A Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e0 40 94 7b 5c ce 1a ae-ae 68 37 03 2c 31 66 d1 .@.{\....h7.,1f. 0010 - eb 9a fe 86 b7 33 f7 67-d9 7c 5a 92 86 47 5d c1 .....3.g.|Z..G]. 0020 - 4e bb 65 73 12 1e 4b 94-1d a1 21 1a 15 4f d4 59 N.es..K...!..O.Y 0030 - 5a a7 72 c7 e3 f5 e3 79-4d 66 e7 4d 17 be 10 2a Z.r....yMf.M...* 0040 - 08 58 62 c4 ec 86 3a e6-33 ef ac dc 1e 15 5b c6 .Xb...:.3.....[. 0050 - 33 4c 4a ac 18 e9 d9 da-72 40 2a 3e 82 22 c1 2b 3LJ.....r@ *>.".+ 0060 - e4 fb d8 20 70 ef fb 4d-4a bd 1e c0 1d 24 31 2c ... p..MJ....$1, 0070 - 5c 12 5d ab 7f 95 41 a3-1f e6 aa 5f 5b 10 da 96 \.]...A...._[... 0080 - ad f5 bd b9 3f 91 ea 20-e0 91 07 b2 90 b8 59 78 ....?.. ......Yx 0090 - 32 4c c9 32 7a f9 82 e3-cc 02 42 d1 e0 28 4b 7b 2L.2z.....B..(K{ Start Time: 1565017454 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- read:errno=0 ---------------------------- 2 - NOT Working scenario: Requesting an EC certificate - But I don't see anything suspicious in the logs - What I do: tail -f /var/log/openxpki/*.log Then I ask OpenXPKI to generate a ec certificate (testec01.crt) Key Algorithm: Elliptic Curve - Key Encryption Method: AES 256bit - Curve name: I18N_OPENXPKI_UI_KEY_CURVE_NAME_PRIME256V1 Then simulated a web server with testec01.crt (this time another port to let the other one running): openssl s_server -cert testec01.crt -key testec01.pem -www -accept 5443 I connect to test this new server with: openssl s_client -connect 172.31.1.9:5443 and get this: CONNECTED(00000003) 139808514664080:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 289 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1565017615 Timeout : 300 (sec) Verify return code: 0 (ok) --- cat testec01.crt -----BEGIN CERTIFICATE----- MIIIszCCBpugAwIBAgIKAv9pO28G0p/v/DANBgkqhkiG9w0BAQsFADCBuTELMAkG A1UEBhMCQlIxFzAVBgNVBAgTDlNhbnRhIENhdGFyaW5hMRIwEAYDVQQHEwlTY2hy b2VkZXIxFDASBgNVBAoTC015U2FtcGxlSU5DMRgwFgYDVQQLEw9NeVNhbXBsZUlO Q1VuaXQxHTAbBgNVBAMTFE15U2FtcGxlSU5DU2lnbmVyUlNBMS4wLAYJKoZIhvcN AQkBFh9NeVNhbXBsZUlOQ3Jvb3RAbXlzYW1wbGVpbmMuaW5jMB4XDTE5MDgwNTE0 NTYyNFoXDTIwMDIwNTE0NTYyNFowgY0xCzAJBgNVBAYTAkJSMRcwFQYDVQQIDA5T YW50YSBDYXRhcmluYTESMBAGA1UEBwwJU2Nocm9lZGVyMRQwEgYDVQQKDAtNeVNh bXBsZUlOQzEYMBYGA1UECwwPTXlTYW1wbGVJTkNVbml0MSEwHwYDVQQDDBh0ZXN0 ZWMwMS5teXNhbXBsZWluYy5pbmMwggFLMIIBAwYHKoZIzj0CATCB9wIBATAsBgcq hkjOPQEBAiEA/////wAAAAEAAAAAAAAAAAAAAAD///////////////8wWwQg//// /wAAAAEAAAAAAAAAAAAAAAD///////////////wEIFrGNdiqOpPns+u9VXaYhrxl HQawzFOw9jvOPD4n0mBLAxUAxJ02CIbnBJNqZnjhE50mt4GffpAEQQRrF9Hy4SxC R/i85uVjpEDydwN9gS3rM6D0oTlF2JjClk/jQuL+Gn+bjufrSnwPnhYrzjNXazFe zsu2QGg3v1H1AiEA/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVECAQED QgAEcNR0Xv/zwJIzb803StNmerV1LRKgYuG6fitgQjT+zxQbB6ySrCnm2hAxDCrd J3f4R0iUqPQIYgOTsId+cY4UiqOCA7wwggO4MGkGCCsGAQUFBwEBBF0wWzAxBggr BgEFBQcwAoYlaHR0cDovL2NybC5teXNhbXBsZWluYy5pbmMvY2FjZXJ0LmNydDAm BggrBgEFBQcwAYYaaHR0cDovL2NybC5teXNhbXBsZWluYy5pbmMwgegGA1UdIwSB 4DCB3YAUrsJO2qSc0oZ2ByzwvKDmWDbY30ihgbqkgbcwgbQxCzAJBgNVBAYTAkJS MRcwFQYDVQQIEw5TYW50YSBDYXRhcmluYTESMBAGA1UEBxMJU2Nocm9lZGVyMRQw EgYDVQQKEwtNeVNhbXBsZUlOQzEYMBYGA1UECxMPTXlTYW1wbGVJTkNVbml0MRgw FgYDVQQDEw9NeVNhbXBsZUlOQ1JPT1QxLjAsBgkqhkiG9w0BCQEWH015U2FtcGxl SU5Dcm9vdEBteXNhbXBsZWluYy5pbmOCCCXu1oPqIbZKMAwGA1UdEwEB/wQCMAAw OwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5teXNhbXBsZWluYy5pbmMvbXlz YW1wbGVpbmMuY3JsMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMAkGA1UdEgQCMAAw DgYDVR0PAQH/BAQDAgWgMDkGCWCGSAGG+EIBBAQsFipodHRwOi8vY3JsLm15c2Ft cGxlaW5jLmluYy9teXNhbXBsZWluYy5jcmwwOQYJYIZIAYb4QgEDBCwWKmh0dHA6 Ly9jcmwubXlzYW1wbGVpbmMuaW5jL215c2FtcGxlaW5jLmNybDBrBglghkgBhvhC AQ0EXhZcVGhpcyBpcyBhIGdlbmVyaWMgY2VydGlmaWNhdGUuIEdlbmVyYXRlZCB3 aXRoIE9wZW5YUEtJIHRydXN0Y2VudGVyIHNvZnR3YXJlIGZvciBNeVNhbXBsZUlO Qy4wgakGA1UdIASBoTCBnjAFBgMqAwUwgZQGAyoDBDCBjDAoBggrBgEFBQcCARYc aHR0cDovL29wZW54cGtpLm9yZy9jcHMuaHRtbDAoBggrBgEFBQcCARYcaHR0cDov L29wZW54cGtpLm5ldC9jcHMuaHRtbDA2BggrBgEFBQcCAjAqGihUaGlzIGlzIGEg Y29tbWVudCBmb3IgcG9saWN5IG9pZCAxLjIuMy40MDQGA1UdEQQtMCuCGHRlc3Rl YzAxLm15c2FtcGxlaW5jLmluY4IJbG9jYWxob3N0hwR/AAABMB0GA1UdDgQWBBRG xN52FK84iP+kGN1I84fFD4KbRzANBgkqhkiG9w0BAQsFAAOCAgEALLNbx8kHhT+n 49O8kysaHvN4jea3aUsVGkBZnGMSs22bvCqkBZd8pqAfRvkXJfX2HEpChHKTJgGW 4kzmeL/kgYNVfrNoJib3SHnwGlq/UwYcHznfuGrFz+yRn+ECZvVEPgmmzyUvaicv v9nxmIX3bsiPScfGkf/wifBd0tPzG9t7RChwxbeXZwU3NPd9TLV1OAuPsMIOtucu cxjM7QLFCmq65hDdFZpSoI01aRQclnYFB0ZTeNvTNAVLzteOzDpz4icCKvjanTUd pNXncxtueE1DxhAdMKeO/v5arHD1jLOJzr5RH/v1jFeSGcpQJAZQXwZDb8cZhXLH 3wQCnRF1yywh2raRVXtEL6lNLwo6bq29h0uPhWpeXUrPAJS9T8c3a2JqAGXTpiBL cTsNJQDgEcDVN7pZ2uslqdQvw86fFTqRr+X/vkR+ih1NkuQlGvxoU5YU8jMwS/zl rZY5K57qKEgqZsJh4Hdg9AVMiz14b719CT8aYvuQJ7pItwR21AWhnT0hCiPJVq2O ypqAUATDCQ4BNvx8tbGgo1fFz3z6YxyuVh+a5iRDibLwtOnBO2SMbfdkjTmpfqVs jn8MpTcPXVXKRk2S1F4Oi4QFaxWZybATYOGDnZnrHUFpQz534TeVkfgm+Mr9FDEJ Vv4Kp5b4w3u/AMPvHod1HYEfV18LlSA= -----END CERTIFICATE-----
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
