SSL_do_handshake gets error WRONG VERSION NUMBER

[zyf01...@gmail.com]

I have made a programmer following this: OpenSSL Read/Write Handshake data with 
Memory BIOBut now the function call SSL_do_handshake gets the error wrong 
version number, do you have any idea?Here is the sample 
code.client,SSL_set_bio(pssl, rbio, wbio);
SSL_set_connect_state(pssl); 

SSL_do_handshake(pssl); 
length = BIO_read(wbio, buffer, 
length);server,SSL_CTX_load_verify_locations(global_sslctx , cacerts.pem , 
NULL);
SSL_CTX_use_certificate_file( global_sslctx , cert.pem, SSL_FILETYPE_PEM);
SSL_CTX_use_PrivateKey_file(  global_sslctx , cert.pem, SSL_FILETYPE_PEM);
BIO_write(SSL_get_wbio(pssl) , pdata , length);

if (!SSL_is_init_finished(pssl)) {
SSL_do_handshake(pssl);
printf(%s ,ERR_reason_error_string(ERR_get_error()));
}And i have dumped the momery data of the client,16 03 01 00 de 01 00 00 da 03 
01 9b dc 1e ef 4d f6 74 96 9b 8a 3f c0 3f de 37 4c 1b fa d7 d8 04 12 79 f9 bf 
92 38 d8 59 c0 4f b4 00 00 68 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 
c0 0f c0 05 00
zyf01...@gmail.com

RE: Verify Two Way SSL Certificates.

[Dave Thompson]

What exactly do you include in correctly?

 

As that entry (rightly) explains, the (or each) server must have a key  cert 
from a CA 

trusted by the client, and the (or each) client must have a key  cert from a 
CA trusted 

by the server. Most clients trust the “well-known” CAs like Verisign and 
GoDaddy and 

maybe 10-100 more depending on the client and OS. Some servers similarly trust 

well-known CAs, but sometimes the organization operating the server also 
operates 

or links to a particular CA to issue certs to its clients, and the SSL server 
trusts that CA.

Most if not all clients and servers can be configured to change which CAs they 
trust.

 

As it says the server must “request” the client cert; this is often a separate 
option.

E.g. you must set “request client auth” AND “trust these client CAs: X, Y, Z”.

Often there are several options like request but proceed if a client doesn’t 
agree,

or request and refuse to proceed if client doesn’t agree.

 

It isn’t said explicitly but for most SSL/TLS applications and particularly 
HTTPS, the

server cert must correctly name the server, and for most (sane) servers using 
client auth 

the client cert must correctly name the client.

 

For both one-way (server) auth and two-way (server+client) auth, if the cert is 
issued by 

a CA using an “intermediate” or “chain” cert – and certs from well-known CAs do 
– 

the server or client respectively should be configured with both the entity 
cert 

AND the correct intermediate cert (or sometimes a few of them). The CAs usually

provide the needed intermediate(s) and instructions for use with common servers,

but you have to pay attention to the instructions and follow them.

(Although if you want to test/debug with commandline s_server, it does NOT 

directly support own-chain certs and you must sneak them in via truststore.)

 

And last, but rarely important, the server cert and the client cert when used 
must 

be for keys using the same public key algorithm: RSA, ECDSA, DSA, ECDH, or DH.

In practice almost everybody uses RSA and this is not a problem.

 

You can check these points directly, or you can try making a connection and 

if it doesn’t work look at the error(s) or other results that you get (such as 

selection of a different client cert you expected).

 

Do you have a specific problem you want to diagnose?

 

From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Kaushal Shriyan
Sent: Monday, April 21, 2014 10:14
To: openssl-users@openssl.org
Subject: *** Spam *** Verify Two Way SSL Certificates.

 

Hi,

 

Is there a way to test if 2 way ssl certs are installed correctly?

 

More Info :- 
http://stackoverflow.com/questions/10725572/two-way-ssl-clarification

 

Regards,

 

Kaushal

Re: serverFull and otherFull

[Wim Lewis]

On 21 Apr 2014, at 10:27 PM, Sri Ramya wrote:
 can any one explain me what is server full and theotherfull in openssl 
 terminology???


I think we need more context. Where are you seeing those terms?


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

How to include intermediate in pkcs12?

[Edward Ned Harvey (openssl)]

A bunch of things on the internet say to do -cafile intermediate.pem -cafile 
root.pem or -certfile intermediate.pem -certfile root.pem and they 
explicitly say that calling these command-line options more than once is ok and 
will result in both the certs being included in the final pkcs12...  But I have 
found this to be untrue.

I have found, that if I concatenate intermediate  root into a single glom 
file, and then I specify -certfile once for the glom, then my pfx file will 
include the complete chain.  But if I use -certfile twice, I get no 
intermediate in my pfx.  And I just wasted more time than I care to describe, 
figuring this out.

So...  While concatenation/glom is a viable workaround, I'd like to know, 
what's supposed to work?  And was it a new feature introduced after a certain 
rev or something?   I have OpenSSL 0.9.8y command-line on Mac OSX, and OpenSSL 
1.0.1e command-line on cygwin.  I believe I've seen the same behavior in both.