RE: 2 Server certificates
transferred to and configured on server. (A user can connect the first time using e.g. password, use that connection to configure pubkey, and subsequently use publickey.) hope I made it clear good luck! - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@gmail.com À: openssl-users@openssl.org Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST) Objet: Re: Re : Re: Re : Re: 2 Server certificates Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server- certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re : 2 Server certificates
On 6/13/2014 3:15 AM, nicolas@free.fr wrote: the fact is a server can only send a single certificate, however this one can be signed by multiple CAs I wish. Unfortunately, it's a single certificate, signed by a single CA. Which itself can be signed by another single CA, and so on until the trust anchor is reached. This is a single certificate chain. There are issues with having only a single certificate chain available. Most notably, if your CA becomes untrusted, you must change your CA and entire presented certificate chain. -Kyle H smime.p7s Description: S/MIME Cryptographic Signature
Re: Re : Re: Re : Re: 2 Server certificates
Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re : Re: Re : Re: 2 Server certificates
Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Regards. - Original Message - From: nicolas@free.fr To: openssl-users@openssl.org Date: Fri, 13 Jun 2014 02:02:51 +0200 (CEST) Subject: Re : Re: Re : Re: 2 Server certificates Hi, sorry for the first answer, I didn't read in details :-/ looking at your certificate chain, you are in fact trying to validate a certificate issued by RapidSSL using pit-ca --- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secure.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -BEGIN CERTIFICATE- ... -END CERTIFICATE- 1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca i:/C=US/O=Caradas/OU=PIT/CN=pit-root this at least explains why it fails... however, you didn't indicate how you set up the first chain, if there is any (looks like not here) My guess is you should just add all your certificates (CAs and Roots) using only X509_STORE_add_cert, since the verification function tries to recompose the chain by itself you can also create a single chain containing all your certificates (both CAs and Roots, in any order) once again the verification should be done transparently let me know if it works, or if you already tried - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@strong-data.com À: openssl-users@openssl.org Envoyé: Thu, 12 Jun 2014 16:39:23 +0200 (CEST) Objet: Re: Re : Re: 2 Server certificates Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re : 2 Server certificates
Hi, the fact is a server can only send a single certificate, however this one can be signed by multiple CAs on the other side, a client have (in general) a list of trusted CAs, not a single one so there are two options : - either each client knows the two CAs, then the server can send a certificate signed by any of them - or each client knows only about its own CA, then the server must send a certificate signed by both CAs (note that this is symmetrical, the server verify client certificate the same way) I've never heard about a server with multiple certificates, at least not with SSL/TLS protocols... concerning the list of trusted CAs sent by the server to the client, it comes from the fact that a client can have multiple certificates, for different servers that can use their own CA so it allows a client to choose the good certificate to send to a specific server concerning the server, if it's in public access it uses a certificate issued by a well-known CA (for example one included in your browser) if it's private, it can use its own CA or even a self-signed certificate, and the client has to recover the trusted certificates by itself (this happens the first time you connect to a SSH server for which you have no certificate, or on some websites) hope I made it clear good luck! - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@gmail.com À: openssl-users@openssl.org Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST) Objet: Re: Re : Re: Re : Re: 2 Server certificates Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [SPAM?] Re : 2 Server certificates
https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html Load names of CAs from file and use it as a client CA list: SSL_CTX *ctx; STACK_OF(X509_NAME) *cert_names; ... cert_names = SSL_load_client_CA_file(/path/to/CAfile.pem); if (cert_names != NULL) SSL_CTX_set_client_CA_list(ctx, cert_names); else error_handling(); The PKI used for a server certificate is not the same as the one used for client certficates. - a server has a certificate (issued by whatever PKI) - a server can request that a client presents a certificate in order to do so, the protocol requires to send a list of issuers (of client certificats). There is no relation between client certs and the server cert. On 06/13/2014 12:15 PM, nicolas@free.fr wrote: Hi, the fact is a server can only send a single certificate, however this one can be signed by multiple CAs on the other side, a client have (in general) a list of trusted CAs, not a single one so there are two options : - either each client knows the two CAs, then the server can send a certificate signed by any of them - or each client knows only about its own CA, then the server must send a certificate signed by both CAs (note that this is symmetrical, the server verify client certificate the same way) I've never heard about a server with multiple certificates, at least not with SSL/TLS protocols... concerning the list of trusted CAs sent by the server to the client, it comes from the fact that a client can have multiple certificates, for different servers that can use their own CA so it allows a client to choose the good certificate to send to a specific server concerning the server, if it's in public access it uses a certificate issued by a well-known CA (for example one included in your browser) if it's private, it can use its own CA or even a self-signed certificate, and the client has to recover the trusted certificates by itself (this happens the first time you connect to a SSH server for which you have no certificate, or on some websites) hope I made it clear good luck! - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@gmail.com À: openssl-users@openssl.org Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST) Objet: Re: Re : Re: Re : Re: 2 Server certificates Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 2 Server certificates
To handle CA cert chain, you can use SSL_CTX_add_extra_chain_cert.. are you expect certificate form client ? - Saurabh On Thu, Jun 12, 2014 at 7:09 AM, Hafedh TRIMECHE hafedh.trime...@gmail.com wrote: Hi, I would implement an OpenSSL Server which can handle authentication initiated by 2 client certificates issued by 2 CAs: Client1 CA1 Root1 and Client2 CA2 Root2 Please how to achieve mutual authentication using some APIs: - X509_STORE_add_cert - SSL_CTX_add_extra_chain_cert - SSL_CTX_add_client_CA to avoid the error 14094416 certificate unknown Regards -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 2 Server certificates
Yes, The client certificate is excepted. - Original Message - From: Saurabh Pandya er.saurabhpan...@gmail.com To: openssl-users openssl-users@openssl.org Date: Thu, 12 Jun 2014 12:05:09 +0530 Subject: Re: 2 Server certificates To handle CA cert chain, you can use SSL_CTX_add_extra_chain_cert.. are you expect certificate form client ? - Saurabh On Thu, Jun 12, 2014 at 7:09 AM, Hafedh TRIMECHE hafedh.trime...@gmail.com wrote: Hi, I would implement an OpenSSL Server which can handle authentication initiated by 2 client certificates issued by 2 CAs: Client1 CA1 Root1 and Client2 CA2 Root2 Please how to achieve mutual authentication using some APIs: - X509_STORE_add_cert - SSL_CTX_add_extra_chain_cert - SSL_CTX_add_client_CA to avoid the error 14094416 certificate unknown Regards -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 2 Server certificates
I used this pascal procedure to handle other CAs procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString); var x509 : pX509; begin { The next four functions are only useful for TLS/SSL servers. f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert: PX509): Integer; cdecl = nil; //AG f_SSL_add_client_CA : function(ssl: PSSL; CaCert: PX509): Integer; cdecl = nil; //AG f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List: PSTACK_OF_X509_NAME); cdecl = nil; //AG f_SSL_set_client_CA_list : procedure(s: PSSL; List: PSTACK_OF_X509_NAME); cdecl = nil; //AG } CA := Trim(CA); Root := Trim(Root); if (CA='') or (Root='') then Exit; FCS.Lock; try x509 := BlobToX509(CA); X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509); SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509); SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509); x509 := BlobToX509(Root); X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509); SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509); SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509); except end; FCS.Unlock; end; and I obtained this log Thank you to guide me set suitable procedure to accept connection from client which the certificate is issued by the second CA (pit-ca) not RapidSSL CA Regards - D:\Developer\Tools\SSL\OpenSSLopenssl s_client -showcerts -connect localhost:44 30 WARNING: can't open config file: /usr/local/ssl/openssl.cnf Loading 'screen' into random state - done CONNECTED(0170) depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=27:certificate not trusted verify return:1 depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rap idssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secur e.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -BEGIN CERTIFICATE- MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO CdcgAfhbyfVKA1azIxDsRNvf2A50yPTJGKT54r8H53q0a26RLHjTICfLQnfw0ala o9DTC5zcZ0IoibTXC6XmxOsQyoOJ1qavgKUloZHFEj9uHWRKEAaUUX/nQ0x7nTlL uXhQrzWFAqCawA2pElvehrsdvQKlVbeXCKfKptDuNkMcDhMNQhDp9mBG8yNn5bd3 zLxIs0R9H/SpeCS314xwj4MKwwcwV8wTt7heekASQ85/IMSp27HdlOTWZYNZZWdJ 8EA6+wnhVpUxDgea/HG9GffSRc21hCSSBmxuQklLpYOmLww3YbECAwEAAaOCAa8w ggGrMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQE AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIU c2VjdXJlLnBheWVyc3BvdC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3Jh cGlkc3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0O BBYEFKQx20IXCPfRhermzmPBd4Qp+2xBMAwGA1UdEwEB/wQCMAAweAYIKwYBBQUH AQEEbDBqMC0GCCsGAQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVz dC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3Qu Y29tL3JhcGlkc3NsLmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczAN BgkqhkiG9w0BAQUFAAOCAQEAgDs51+io4xWWYrR9LhMv5Ks8URfluQPFO2FUA6PI KjOoQwLr2pa5u1mxwlkZC4j5g0uf9Afis6iVkhHMiI3fkf17sdPq/jnU7lj0sjgW WaJu5AmcIGVyMwWRXtyTQmfmdJ6QYK/uXJUdE45YnD5qU+h0wW2PY9UhTwEqLqPH XYFkyR3ioIuB3bx3SNeEdw4HfynrsszxqCtwEffOoS/99OMF/7K2LZS+gHPtMjTD SmJFnr6U21/XQx1pVYsVLps+4tWcwGwWdvLabyydgoRvSLdVnEoWveNVzYjWrXO+ A5jWDIoTe3UJduh6qRlfvJalheNmhqAKOe5H9/LCBUn+gA== -END CERTIFICATE- 1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca i:/C=US/O=Caradas/OU=PIT/CN=pit-root -BEGIN CERTIFICATE- MIICnzCCAgigAwIBAgIJANhcG/IeHwt9MA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT CHBpdC1yb290MB4XDTE0MDMwNjA0NDYzN1oXDTI0MDMwMzA0NDYzN1owPjELMAkG
Re : Re: 2 Server certificates
Hi it seems that you could use the following functions : void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); - sets the list of trusted CA sent to client (here Rapid SSL CA and pit-ca) int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); - the CApath should point to a folder where certificates of both CAs are stored OpenSSL should be able to recover the certificate chain by itself Hope it works Nico - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@gmail.com À: openssl-users@openssl.org Envoyé: Thu, 12 Jun 2014 09:49:49 +0200 (CEST) Objet: Re: 2 Server certificates I used this pascal procedure to handle other CAs procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString); var x509 : pX509; begin { The next four functions are only useful for TLS/SSL servers. f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert: PX509): Integer; cdecl = nil; //AG f_SSL_add_client_CA : function(ssl: PSSL; CaCert: PX509): Integer; cdecl = nil; //AG f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List: PSTACK_OF_X509_NAME); cdecl = nil; //AG f_SSL_set_client_CA_list : procedure(s: PSSL; List: PSTACK_OF_X509_NAME); cdecl = nil; //AG } CA := Trim(CA); Root := Trim(Root); if (CA='') or (Root='') then Exit; FCS.Lock; try x509 := BlobToX509(CA); X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509); SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509); SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509); x509 := BlobToX509(Root); X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509); SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509); SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509); except end; FCS.Unlock; end; and I obtained this log Thank you to guide me set suitable procedure to accept connection from client which the certificate is issued by the second CA (pit-ca) not RapidSSL CA Regards - D:\Developer\Tools\SSL\OpenSSLopenssl s_client -showcerts -connect localhost:44 30 WARNING: can't open config file: /usr/local/ssl/openssl.cnf Loading 'screen' into random state - done CONNECTED(0170) depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=27:certificate not trusted verify return:1 depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rap idssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secur e.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -BEGIN CERTIFICATE- MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO CdcgAfhbyfVKA1azIxDsRNvf2A50yPTJGKT54r8H53q0a26RLHjTICfLQnfw0ala o9DTC5zcZ0IoibTXC6XmxOsQyoOJ1qavgKUloZHFEj9uHWRKEAaUUX/nQ0x7nTlL uXhQrzWFAqCawA2pElvehrsdvQKlVbeXCKfKptDuNkMcDhMNQhDp9mBG8yNn5bd3 zLxIs0R9H/SpeCS314xwj4MKwwcwV8wTt7heekASQ85/IMSp27HdlOTWZYNZZWdJ 8EA6+wnhVpUxDgea/HG9GffSRc21hCSSBmxuQklLpYOmLww3YbECAwEAAaOCAa8w ggGrMB8GA1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQE AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0RBBgwFoIU c2VjdXJlLnBheWVyc3BvdC5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3Jh cGlkc3NsLWNybC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0O BBYEFKQx20IXCPfRhermzmPBd4Qp+2xBMAwGA1UdEwEB/wQCMAAweAYIKwYBBQUH AQEEbDBqMC0GCCsGAQUFBzABhiFodHRwOi8vcmFwaWRzc2wtb2NzcC5nZW90cnVz dC5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1haWEuZ2VvdHJ1c3Qu Y29tL3JhcGlkc3NsLmNydDBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczAN BgkqhkiG9w0BAQUFAAOCAQEAgDs51+io4xWWYrR9LhMv5Ks8URfluQPFO2FUA6PI
Re: Re : Re: 2 Server certificates
Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50889.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 2 Server certificates
A1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsTA1BJVDEPMA0GA1UE AxMGcGl0LWNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDS8wkuFUF4kaai aSL+R56Vakz1ulgoYFq/EoXJzLSw0AtaW81eHuChye87XgDGPXuAECobKR1po7jm mv7N1mqolxdLttAo5KIrW9eON6+/+3S4tIkuKrq+6VLTyxS5tm7HtIk3VHgOauYq ZAwdCxSFqIuFjsujhs+XXxvwBuo5swIDAQABo4GiMIGfMB0GA1UdDgQWBBSSeO/A pvd/IYPohAgH1IdESNp/KDBwBgNVHSMEaTBngBTZN94fUNQRn4qO7sSjXtpWHdR7 iaFEpEIwQDELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsT A1BJVDERMA8GA1UEAxMIcGl0LXJvb3SCCQD5xUs3mIvpWzAMBgNVHRMEBTADAQH/ MA0GCSqGSIb3DQEBBQUAA4GBACtXB0vtl0+QUUvHGlo8gqCwjjhwDLpa2VRslaus KGt84WlPiX0TH2Bqxm/zmPyBjNnuXWGHmQ4KgFmqa0SeF1AfP/Y3AWeEJA6Joej5 8nG0hr6CcObxrC+wAMRPDIlLHO+51QyjpNF9HC+k26bxUapZs2VW/2pcP67mtQHy XiYQ -END CERTIFICATE- 2 s:/C=US/O=Caradas/OU=PIT/CN=pit-root i:/C=US/O=Caradas/OU=PIT/CN=pit-root -BEGIN CERTIFICATE- MIICoTCCAgqgAwIBAgIJAPnFSzeYi+lbMA0GCSqGSIb3DQEBBQUAMEAxCzAJBgNV BAYTAlVTMRAwDgYDVQQKEwdDYXJhZGFzMQwwCgYDVQQLEwNQSVQxETAPBgNVBAMT CHBpdC1yb290MB4XDTE0MDMwNjA0MzUxMFoXDTI0MDMwMzA0MzUxMFowQDELMAkG A1UEBhMCVVMxEDAOBgNVBAoTB0NhcmFkYXMxDDAKBgNVBAsTA1BJVDERMA8GA1UE AxMIcGl0LXJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKG7diarDQg1 7UjmvJasHFSjWhPdb9/9pXZvWAKuc9wqqjD3nvU6w+uJtYIFqN4vXC+jk7ek4VF7 jvkDF3R00fnHl6wOVufzQlFA7+QXpWTMGsb6yywhXMwVbcO8u14cGV/x+5VewkTg rVRbqZlOXImellNvW1fsJ5HiSVfH8eylAgMBAAGjgaIwgZ8wHQYDVR0OBBYEFNk3 3h9Q1BGfio7uxKNe2lYd1HuJMHAGA1UdIwRpMGeAFNk33h9Q1BGfio7uxKNe2lYd 1HuJoUSkQjBAMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHQ2FyYWRhczEMMAoGA1UE CxMDUElUMREwDwYDVQQDEwhwaXQtcm9vdIIJAPnFSzeYi+lbMAwGA1UdEwQFMAMB Af8wDQYJKoZIhvcNAQEFBQADgYEAIeZZtXQqlBK04a2gimGko/aL2YWMRgh04yTK +jw7OkJ/UWdA1g78UJk5/rTJ92579io5rsmLHXV+uWc6Wr6IFO4AfxiQv+GW/PMQ 8pu49o8ev9yTvYaos8XP4zdUO4RsXBw9rYRuSP4Ov2tOKKPomOJLabS58GAlCouk 774/xTE= -END CERTIFICATE- --- Server certificate subject=/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www. rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=se cure.payerspot.com issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA --- Acceptable client certificate CA names /C=US/O=GeoTrust, Inc./CN=RapidSSL CA /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA /C=US/O=Caradas/OU=PIT/CN=pit-ca /C=US/O=Caradas/OU=PIT/CN=pit-root --- SSL handshake has read 3311 bytes and written 649 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher: AES256-GCM-SHA384 Session-ID: 4E1F306DC017FF34593693FA862184AC7CF38B976E36681DD7F5481DD2696044 Session-ID-ctx: Master-Key: 2C469ED2095E5F9F66792C4CAB4339BAD630ADC6773A491F391533EFC99BBE47 D06FD73DC9ADB4E130B5A664350C3F3E Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - fc ca 8c 95 6c f5 1d 56-7f e3 13 cb 03 05 09 46 l..V...F 0010 - 81 b0 6b 94 6e bf af 64-4f 50 39 00 d3 f2 2e 5b ..k.n..dOP9[ 0020 - 6c 30 fc d4 da 70 ae 66-dc 60 7f 01 db 29 4b 78 l0...p.f.`...)Kx 0030 - fb b7 bb b6 bc be cc e9-db 77 cd b1 97 d1 16 01 .w.. 0040 - e7 fe f4 79 69 bb 9c 25-ce 2b 64 62 6f f7 cb 94 ...yi..%.+dbo... 0050 - 45 fc 07 31 eb 9d e7 66-ef e1 c9 ea 82 0d 56 45 E..1...f..VE 0060 - f4 17 af e3 73 32 59 8e-fb 5d 30 4c 31 df bb d9 s2Y..]0L1... 0070 - f8 1e 9b 12 04 a3 56 98-0b 72 99 83 ff d7 30 0f ..V..r0. 0080 - 0e ec d5 d4 c2 0a 9a eb-07 9c e4 3e 9c 2d 72 18 -r. 0090 - 6b b6 d1 3f 42 3a 11 ae-4c d0 ff ce 34 9f 15 c3 k..?B:..L...4... Start Time: 1402558752 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- - Original Message - From: Saurabh Pandya er.saurabhpan...@gmail.com To: openssl-users openssl-users@openssl.org Date: Thu, 12 Jun 2014 12:05:09 +0530 Subject: Re: 2 Server certificates To handle CA cert chain, you can use SSL_CTX_add_extra_chain_cert.. are you expect certificate form client ? - Saurabh On Thu, Jun 12, 2014 at 7:09 AM, Hafedh TRIMECHE hafedh.trime...@gmail.com wrote: Hi, I would implement an OpenSSL Server which can handle authentication initiated by 2 client certificates issued by 2 CAs: Client1 CA1 Root1 and Client2 CA2 Root2 Please how to achieve mutual authentication using some APIs: - X509_STORE_add_cert - SSL_CTX_add_extra_chain_cert - SSL_CTX_add_client_CA to avoid the error 14094416 certificate unknown Regards -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl
Re: Re : Re: 2 Server certificates
Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards - Original Message - From: nicolas@free.fr To: openssl-users@openssl.org Date: Thu, 12 Jun 2014 16:22:36 +0200 (CEST) Subject: Re : Re: 2 Server certificates Hi it seems that you could use the following functions : void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); - sets the list of trusted CA sent to client (here Rapid SSL CA and pit-ca) int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath); - the CApath should point to a folder where certificates of both CAs are stored OpenSSL should be able to recover the certificate chain by itself Hope it works Nico - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@gmail.com À: openssl-users@openssl.org Envoyé: Thu, 12 Jun 2014 09:49:49 +0200 (CEST) Objet: Re: 2 Server certificates I used this pascal procedure to handle other CAs procedure TWEBStandaloneServer.InsertCA(CA,Root:UnicodeString); var x509 : pX509; begin { The next four functions are only useful for TLS/SSL servers. f_SSL_CTX_add_client_CA : function(C: PSSL_CTX; CaCert: PX509): Integer; cdecl = nil; //AG f_SSL_add_client_CA : function(ssl: PSSL; CaCert: PX509): Integer; cdecl = nil; //AG f_SSL_CTX_set_client_CA_list : procedure(C: PSSL_CTX; List: PSTACK_OF_X509_NAME); cdecl = nil; //AG f_SSL_set_client_CA_list : procedure(s: PSSL; List: PSTACK_OF_X509_NAME); cdecl = nil; //AG } CA := Trim(CA); Root := Trim(Root); if (CA='') or (Root='') then Exit; FCS.Lock; try x509 := BlobToX509(CA); X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509); SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509); SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509); x509 := BlobToX509(Root); X509_STORE_add_cert(Pointer(FSSLContext.fContext.cert_store),x509); SSL_CTX_add_client_CA(Pointer(FSSLContext.fContext),x509); SSL_CTX_add_extra_chain_cert(Pointer(FSSLContext.fContext),x509); except end; FCS.Unlock; end; and I obtained this log Thank you to guide me set suitable procedure to accept connection from client which the certificate is issued by the second CA (pit-ca) not RapidSSL CA Regards - D:\Developer\Tools\SSL\OpenSSLopenssl s_client -showcerts -connect localhost:44 30 WARNING: can't open config file: /usr/local/ssl/openssl.cnf Loading 'screen' into random state - done CONNECTED(0170) depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=27:certificate not trusted verify return:1 depth=0 serialNumber = abcu8WWhYjl3NQaipWsZh5eFlY3Giv71, OU = GT82566018, OU = S ee www.rapidssl.com/resources/cps (c)13, OU = Domain Control Validated - RapidSS L(R), CN = secure.payerspot.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rap idssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secur e.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -BEGIN CERTIFICATE- MIIFLjCCBBagAwIBAgIDDfI5MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew HhcNMTMwOTEwMjEyMDMyWhcNMTQwOTEyMjMwNDI2WjCBwzEpMCcGA1UEBRMgYWJj dThXV2hZamwzTlFhaXBXc1poNWVGbFkzR2l2NzExEzARBgNVBAsTCkdUODI1NjYw MTgxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk U1NMKFIpMR0wGwYDVQQDExRzZWN1cmUucGF5ZXJzcG90LmNvbTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMNR0N+FmQnQhgX9u3M101VWanDFoSy42IOO
Re : Re: Re : Re: 2 Server certificates
Hi, sorry for the first answer, I didn't read in details :-/ looking at your certificate chain, you are in fact trying to validate a certificate issued by RapidSSL using pit-ca --- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secure.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -BEGIN CERTIFICATE- ... -END CERTIFICATE- 1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca i:/C=US/O=Caradas/OU=PIT/CN=pit-root this at least explains why it fails... however, you didn't indicate how you set up the first chain, if there is any (looks like not here) My guess is you should just add all your certificates (CAs and Roots) using only X509_STORE_add_cert, since the verification function tries to recompose the chain by itself you can also create a single chain containing all your certificates (both CAs and Roots, in any order) once again the verification should be done transparently let me know if it works, or if you already tried - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@strong-data.com À: openssl-users@openssl.org Envoyé: Thu, 12 Jun 2014 16:39:23 +0200 (CEST) Objet: Re: Re : Re: 2 Server certificates Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org