Re: [Rohc] IPROHC certificate cannot be verified

Didier Barvaux Sun, 18 Oct 2015 04:00:53 -0700

Hello,

My answers below.


> I am testing IP ROHC on cent OS boxes. Installed software version is
> iprohc-main. Installed server and client on two different cent os
> boxes(centos 7.1). Created certificates for client and server as per
> below URL.
> 
> http://rohc-lib.org/wiki/doku.php?id=iprohc-run
> 
> Started the server successfully, When IP ROHC client is connected with
> Server using below command
> iprohc_client --remote x.x.x.x --port 3126 --dev iprohc -b eth0 --p12
> /etc/pki/CA/certs/IpRohcClient1/client1.p12, server is throwing below
> errors as below.
> 
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [main] new connection
> from client
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [main] will store
> client 1/50 at index 0
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [104.131.12.124] new
> connection from 104.131.12.124:51237
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: start of thread
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: TLS handshake succeeded
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: certificate cannot be
> verified (status 66)
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: - unable to trust
> certificate issuer
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: close TLS session
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: end of thread
> 
> Please suggest me.

According to GnuTLS documentation, status 66 means that:

  "The certificate's issuer is not known. This is the case if the
   issuer is not included in the trusted certificate list."

When you created the certificates, did you use the "-certfile
demoCA/cacert.pem" option for the "openssl pkcs12" command as specified
in the wiki page https://rohc-lib.org/wiki/doku.php?id=iprohc-run ?
This is needed for both server and client.

If unsure, ask OpenSSL to display the content of the PKCS#12 files:
$ openssl pkcs12 -in demoCA/certs/IpRohcServer/newcert.p12 -info
$ openssl pkcs12 -in demoCA/certs/IpRohcClient1/newcert.p12 -info

They should both contain 2 certificates and one encrypted private key.
If not, delete them and re-run the "openssl pkcs12" command with all
arguments. If yes, then please ensure that you used the same CA for
both client and server.

Regards,
Didier

signature.asc
Description: PGP signature

_______________________________________________
Mailing list: https://launchpad.net/~rohc
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~rohc
More help   : https://help.launchpad.net/ListHelp

Re: [Rohc] IPROHC certificate cannot be verified

Reply via email to