Kyle, How to check "CA:true" attribute?
The server cert was signed by using the openssl utility sign-server-cert. It is provided in the openssl link. Same for client cert. The server cert and the CA cert was loaded into the keystore and using keytool utility, we checked that it is okay. On the client side, there is no keytool, but since it is in C, it is loaded into the context programatically. The cert serial numbers and the dates are verified to be okay. version = 3. Ambarish. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kyle Hamilton Sent: Tuesday, January 31, 2006 4:32 PM To: openssl-users@openssl.org Subject: Re: SSL_connect fails with SSL_ERROR_SSL Okay. The question is: You have a CA. Did you encode the "CA:true" attribute in it? You created a server certificate signed by that CA. How? You created a client certificate signed by that CA. How? You have loaded the CA certificate into the server's keystore, and marked it 'trusted'. Have you verified that it exists correctly in the server's keystore? You have loaded the CA certificate into the client's keystore, and marked it 'trusted'. Have you verified that it exists correctly in the client's keystore? Have you verified that the serial numbers on the certificates are not the same? How did you verify that the certificates were okay? Are there any requirements in Java's SSL implementation for specific OIDs/extensions to be in the client certificate for it to be recognized as such? Do your certificates have 'version=3' properly encoded? -Kyle H On 1/31/06, Ambarish Mitra <[EMAIL PROTECTED]> wrote: > > > Samy, > > Thanks for your reply. On the server side (Java), I have explictly set > client authentication to true. > > ks.load(new FileInputStream(KEYSTORE_FILE), passphrase); > > kmf.init(ks, passphrase); > ctx.init(kmf.getKeyManagers(), null, null); > ssf = ctx.getServerSocketFactory(); > > sSocket = (SSLServerSocket)ssf.createServerSocket(tcpPort, > 10); //Creation of Server Socket > > sSocket.setNeedClientAuth(true); //Needs successful client authentication > > > <snip> > So to verify the authenticity of the certifiacte you shud have the CA(who > signed the cert)in your list of "trusted CAs ". > > </snip> > That CA cert is in the keystore file already of the server side. > > > Also, I am not using .PEM certificates, I am using what the keytool created, > got the CSR signed. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Samy Thiyagarajan > Sent: Tuesday, January 31, 2006 4:03 PM > To: openssl-users@openssl.org > Subject: Re: SSL_connect fails with SSL_ERROR_SSL > > > > > > > > Dear all, > > Using openssl (openssl 0.9.7), I have set up a CA and this CA has issued 2 > certs - one for client and the other for the server. I have checked that > these certificates are ok. > > I am attempting to write a SSL client-server program. > > SSL Server:- Java. It has a keystore, which contains the server cert and the > CA cert. > > SSL Client: C. In the program, using appropraite openssl calls, I have added > the cleint certificate, the private key and the CA cert to the context. > Please see the code snippet. > > ... > Initialization is successful, but the handshake fails. We first create TCP > socket and then "connect" as shown below. Then, we call SSL_connect, which > fails with SSL_ERROR_SSL. At this point, the Java server outputs > SSLException "No Trusted certificate". > > >> If you want client authentication, you need to explicitly state this at > the server side(ie., you should ask > the client to send the certificate.) So to verify the authenticity of the > certifiacte you shud have the CA( who signed the cert)in your list of " > trusted CAs ". > > I believe you need the following function.. > SSL_CTX_set_verify() > > I somewhere found that java does not support .pem format keystore( but im > not sure). If I am right and if you are using .pem that might also be a > reason. > > Hope this helps, > Samy > > > > > > > > > > > > sd = socket(AF_INET, SOCK_STREAM, 0); > int c = connect(sd, (struct sockaddr*) &host_id , > sizeof(host_id)); > > // By now, the SSL context is initialized and the TCP sockets are created. > // Now, SSLize the TCP sockets. > > ssl = SSL_new(ctx); > // create SSL objects from the SSL context. > r = SSL_set_fd (ssl, sd); > // Associate the network connection with the SSL > object. > > int err = SSL_connect (ssl); // Initiate the > SSL handshake *********FAILS > HERE ************ > if (err <= 0) > { > int errcode = SSL_get_error(ssl, err); > switch(errcode) > { > /* other cases */ > case SSL_ERROR_SSL: > LogMesg(logger, LOGFATAL, "SSL connect: Protocol > Error."); break; > } > } > > > Can anyone please tell me what is happenning? > > > Best regards, > Ambarish. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
