Crypt::SSLeay - net_ssl_test - Perl

2002-06-06 Thread John Lien 

Hi.

When using the net_ssl_test script I get this error:

== FAILED TO CONNECT ==
Error: SSL negotiation failed: error:1407E086:SSL
routines:SSL2_SET_CERTIFICATE:certificate verify failed at

In one test case it seems to work; in the other it fails.  I'm not sure
where I went wrong.  The details of what I've done are below.

SECTION 1 - shows the openssl commands I used to parse the PCKS12 file.
SECTION 2 - shows the script and output that runs well
SECTION 3 - shows the script and output that fails
SECTION 4 - shows my environment

I am behind a firewall, but we dont use a proxy.  I'd greatly appreciate any
help.

Thanks,
John


- SECTION 1 
I created my files like this:

pkcs12 -in dt.pfx -cacerts -nodes -nokeys -out dt_ca.crt
Enter Import Password:
MAC verified OK
pkcs12 -in dt.pfx -clcerts -nodes -nokeys -out dt_cl.crt
Enter Import Password:
MAC verified OK
pkcs12 -in dt.pfx -nocerts -nodes -out dt.key
Enter Import Password:
MAC verified OK

I tested the cert files with these commands:
x509 -in dt_ca.crt -noout -text
x509 -in dt_cl.crt -noout -text
rsa -in dt.key -noout -text

and they seemed to pass.

- SECTION 2 

When I run this (HTTPS_CA* are commented out):

#!/usr/bin/ksh
#export HTTPS_CA_FILE='./dt_ca.crt';
#export  HTTPS_CA_DIR='.';
export HOST='https://www.nwoasis.org';
./net_ssl_test -cert=./dt_cl.crt -key=./dt.key -d GET $HOST


I get this output (which I think looks ok):

ieh1: dt_test.ksh
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
WEB SITE: www.nwoasis.org:443
CIPHER: RC4-MD5
THIS IS: /C=US/O=BONNEVILLE POWER ADMINISTRATION/OU=BONNEVILLE POWER
ADMINISTRATION/CN=www.nwoasis.org
CERTIFIED BY: /C=US/O=Digital Signature Trust Co./OU=TrustID
Server/CN=TrustID Server CA A5

SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Content-Location: https://206.137.58.66/index.html
Date: Wed, 05 Jun 2002 22:48:21 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 16 Nov 1999 22:18:40 GMT
ETag: 8de44898030bf1:311f5
Content-Length: 1038
...

- SECTION 3 

When I add in the HTTPS_CA variables and run this:

#!/usr/bin/ksh
export HTTPS_CA_FILE='./dt_ca.crt';
export  HTTPS_CA_DIR='.';
export HOST='https://www.nwoasis.org';
./net_ssl_test -cert=./dt_cl.crt -key=./dt.key -d GET $HOST

I get this output (which looks bad):

ieh1: digi_test.ksh
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:unknown
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:bad certificate
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:error in SSLv2 read server hello B
== FAILED TO CONNECT ==
Error: SSL negotiation failed: error:1407E086:SSL
routines:SSL2_SET_CERTIFICATE:certificate verify failed at
/usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 215.
;  at /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 146.


If you need to use a proxy, please pass it in as an argument like

  ./net_ssl_test -p 127.0.0.1:8080

which sets $ENV{HTTPS_PROXY} for you.

- SECTION 4 
Environment:
Perl v5.6.1
Solaris 8
Crypt-SSLeay-0.37
OpenSSL 0.9.6 24 Sep 2000
-

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Crypt::SSLeay - net_ssl_test - Perl

2002-06-06 Thread Keary Suska 

on 6/6/02 9:45 AM, [EMAIL PROTECTED] purportedly said:

 Hi.
 
 When using the net_ssl_test script I get this error:
 WEB SITE: www.nwoasis.org:443
 CIPHER: RC4-MD5
 THIS IS: /C=US/O=BONNEVILLE POWER ADMINISTRATION/OU=BONNEVILLE POWER
 ADMINISTRATION/CN=www.nwoasis.org
 CERTIFIED BY: /C=US/O=Digital Signature Trust Co./OU=TrustID
 Server/CN=TrustID Server CA A5
 
 #!/usr/bin/ksh
 export HTTPS_CA_FILE='./dt_ca.crt';
 export  HTTPS_CA_DIR='.';
 export HOST='https://www.nwoasis.org';
 ./net_ssl_test -cert=./dt_cl.crt -key=./dt.key -d GET $HOST
 
 SSL_connect:error in SSLv3 read server certificate B
 SSL_connect:before/connect initialization
 SSL_connect:SSLv2 write client hello A
 SSL_connect:error in SSLv2 read server hello B
 == FAILED TO CONNECT ==
 Error: SSL negotiation failed: error:1407E086:SSL
 routines:SSL2_SET_CERTIFICATE:certificate verify failed at
 /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 215.
 ;  at /usr/local/lib/perl5/site_perl/5.6.1/sun4-solaris/Net/SSL.pm line 146.

If I understand the process correctly, you must have the proper CA file for
the particular CA, in this case Digital Signature Trust Co.. If you are
not acting as your own CA, you need to download the proper root CA from the
certificate vendor.

Keary Suska
(719) 473-6431


__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]