No Client Certificate Ca Names Sent Error
Contents |
() nx9010 ! malkom ! pl [Download message RAW] Hello, > both with openssl, I am trying to have a server and client that perform >
Acceptable Client Certificate Ca Names
client certificate authentication. > > So, I start the server as follows: > no client certificate ca names sent apache openssl s_server -www -key /dir/server-key.pem -cert /dir/server-cert.pem > -CAfile /dir/cacert.pem -state > > and as per the previous posts
Openssl S_client Self Signed Certificate
on the list, the CAfile is not empty since > openssl x509 -in /dir/cacert.pem -noout -text > gives nice output. > > Then, I connect from a different shell window on the openssl send client certificate same server with > > openssl s_client -connect localhost:4433 -cert /dir/clientCert.pem -key > /dir/ClientCertKey.pem -CAfile /dir/server-cert.pem > > and I get asked for my key's password. > > /dir/cacert.pem and /dir/clientCert.pem are identical since it is a > self-signed client certificate. > > Then a connection is established successfully, but I see the > > "No client certificate CA names sent" > > Then openssl s_client connect example I do a > R > on the client side since that ought request the client certificate as per > http://openssl.org/docs/apps/s_server.html#CONNECTED_COMMANDS, but no > change. > > Also, when doing "GET /" there is not hint a client certificate > authentication has happened. > > Is there any other option I have overlooked to tell s_server it really > should ask for a client certificate? > > Many thanks for any hints in advance! You should add -verify/-Verify option. If you use -state option then you may observe packet exchange. Server request certificate from client sending "certificate request" packet. This packet is send only when verify is on. When server do not need to authenticate client - this packet is not sent. Option -verify requires certificate from client, but SSL connection is established even that client does not return certificate. Option -Verify requires certificate from client, but SSL connection is NOT established if client does not return certificate. For example: $ openssl s_server -key key.pem -cert crt.pem -CAfile cacert.pem \ -state -verify 10 verify depth is 10 .... SSL_accept:before/accept initialization SSL_accept:SSLv3 read client hello A SSL_accept:SSLv3 write server hello A SSL_
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss
Openssl S_client Capath
the workings and policies of this site About Us Learn more about openssl unable to load client certificate private key file Stack Overflow the company Business Learn more about hiring developers or posting ads with us Server Fault Questions
Openssl S_client Example Certificate
Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up http://marc.info/?l=openssl-users&m=118839574332588 Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Understanding the output of openssl s_client up vote 12 down vote favorite 5 Ever since our email provider changed their SSL certificate, a POP3 client based on mono refuses to connect to their secure POP server http://serverfault.com/questions/589590/understanding-the-output-of-openssl-s-client to download emails. Other clients do not have an issue; e.g. Thunderbird and Outlook; neither does most SSL checker sites that are capable of checking odd ports except this one. I have been working with both providers in an attempt to pinpoint the problem, but have finally reached a dead-end with both, since I don't know enough about SSL Certificates to be able to guide either provider to understand where the fault lies. During the investigation, my attention was drawn to the difference in output of the following two commands (I have removed the certificates from the output for readability): echo "" | openssl s_client -showcerts -connect pop.gmail.com:995 CONNECTED(00000003) depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google Inc/CN=Google Internet A
instructions: Windows Mac Red Hat Linux Ubuntu Click URL instructions: Right-click on ad, choose "Copy Link", then paste here → (This may not be possible with some types of ads) More information about our ad policies https://sourceforge.net/p/isync/mailman/message/32994613/ X You seem to have CSS turned off. Please don't fill out this field. https://www.feistyduck.com/library/openssl-cookbook/online/ch-testing-with-openssl.html You seem to have CSS turned off. Please don't fill out this field. Briefly describe the problem (required): Upload screenshot of ad (required): Select a file, or drag & drop file here. ✔ ✘ Please provide the ad click URL, if possible: Home Browse Isync Mailing Lists Isync mailbox synchronizer Brought to you by: ossi client certificate Summary Files Reviews Support Mailing Lists Tickets ▾ Bugs Patches Feature Requests Git ▾ isync www isync-devel Re: SSL: certificate owner does not match hostname Re: SSL: certificate owner does not match hostname From: Anthony DiSante
and implementation quirks, it’s sometimes difficult to determine the exact configuration and features of secure servers. Although many tools exist for this purpose, it’s often difficult to know exactly how they’re implemented, and that sometimes makes it difficult to fully trust their results. Even though I spent years testing secure servers and have access to good tools, when I really want to understand what is going on, I resort to using OpenSSL and Wireshark. I am not saying that you should use OpenSSL for everyday testing; on the contrary, you should find an automated tool that you trust. But, when you really need to be certain of something, the only way is to get your hands dirty with OpenSSL.Connecting to SSL ServicesOpenSSL comes with a client tool that you can use to connect to a secure server. The tool is similar to telnet or nc, in the sense that it handles the SSL/TLS layer but allows you to fully control the layer that comes next.To connect to a server, you need to supply a hostname and a port. For example:$ openssl s_client -connect www.feistyduck.com:443Once you type the command, you’re going to see a lot of diagnostic output (more about that in a moment) followed by an opportunity to type whatever you want. Because we’re talking to an HTTP server, the most sensible thing to do is to submit an HTTP request. In the following example, I use a HEAD request because it instructs the server not to send the response body:HEAD / HTTP/1.0 Host: www.feistyduck.com HTTP/1.1 200 OK Date: Tue, 10 Mar 2015 17:13:23 GMT Server: Apache Strict-Transport-Security: max-age=31536000 Cache-control: no-cache, must-revalidate Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Set-Cookie: JSESSIONID=7F3D840B9C2FDB1FF7E5731590BD9C99; Path=/; Secure; HttpOnly Connection: close read:errno=0Now we know that the TLS communication layer is working: we got through to the HTTP server, submitted a request, and received a response back. Let’s go back to the diagnostic output. The first couple of lines will show the information about the server certificate:CONNECTED(00000003) depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 ↩ Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = ↩ info@valicert.com verify error:num=19:self signed certificate in certificate chain verify return:0On my system (and possibly on yours), s_client doesn’t pick up the default trusted certificates; it complains that there is a self-signed certificate in the certificate chain. In most cases, you won’t care about certificate validation; but if you do, yo