sslv3 alert certificate unknown means that the server needs to trust
the CA for issuing client certificates. (The server is authenticating
fine, but it's likely that the server isn't sending information on
what CA it will accept a client certificate from, so the other side
sends an alert. Either that, or the other side tries to send the
certificate anyway, and the local side can't verify it, so it
generates the alert.) I'm not sure how you would go about doing so in
your particular program; you may wish to ask on the appropriate list.
For reference, as far as I can tell, the proper function that needs to
be called is SSL_CTX_set_client_CA_list(3), or
SSL_set_client_CA_list(3) if you want to do it on a
connection-by-connection basis.
-Kyle H
On 2/8/06, Ambarish Mitra <[EMAIL PROTECTED]> wrote:
> Chong,
>
> With response to your e-mail, I used ERR_error_string and this is the
> output:
>
> Error: [error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
> unknown]
>
>
> This is how I used it -- the error was in SSL_connect.
>
> err = SSL_connect (ssl);
> if (err <=0)
> {
> unsigned long ErrCode = ERR_get_error();
> char ErrBuf[120];
> ERR_error_string(ErrCode, ErrBuf);
> fprintf(stderr, "Error: [%s]\n", ErrBuf); // This prints the above
> output.
> }
>
> Can anybody help me out please?
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Chong Peng
> Sent: Friday, February 03, 2006 10:31 PM
> To: openssl-users@openssl.org
> Subject: RE: Question on SSL_connect
>
>
>
> have you tried to call "ERR_error_string" to find out what exactly is going
> on? could be that the server and client are using different version of ssl.
>
> -----Original Message-----
> From: Ambarish Mitra [mailto:[EMAIL PROTECTED]
> Sent: Friday, February 03, 2006 1:27 AM
> To: openssl-users@openssl.org
> Subject: Question on SSL_connect
>
>
> On SSL_connect, the openssl documentation mentions that: "initiate the
> TLS/SSL handshake with an TLS/SSL server"
>
> I have created the client cert and loaded into the context with
> "SSL_CTX_use_certificate_file" and the corresponding private key with
> "SSL_CTX_use_PrivateKey_file". This association works since the the call
> "SSL_CTX_check_private_key" succeeded.
>
> In SSL_connect, does the client program send out the client certificate to
> the server as a part of handshake?
>
>
> Now, my server is Java based, and I do not have much idea on JVM keystores.
> It looks like the keystore holds the CA cert and also the server cert. This
> CA is also the one who issued the client cert.
>
> I am getting an error "SSL_ERROR_SSL" with SSL_connect() returning <=0.
>
> Under what circumstances does SSL_connect return this error?
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
