Thanks for all your help Kyle, I've ran your tests and I'm now fairly sure it's not the certificates, it's something weird to do with gSOAP. I'm off to their user group to whine instead!
Again, thanks for providing so much assistance, I've guessing you've saved me days of trawling through websites and the book. Lee. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton Sent: 08 February 2006 17:39 To: openssl-users@openssl.org Subject: Re: Decryption question If you're on Win32, just type up the query, copy it, then in the console window's system menu (alt+spacebar), select 'Edit', and then 'Paste'. The two programs run in different processes, and don't particularly care about sessions. (They're not bound to Windows conventions like Windows-specific software usually is.) Just two separate cmd.exe prompts would be enough. (The reason I say 'write up a valid answer to the query' is so that you can paste it into an s_server that you connect your application to, to ensure that it isn't going to get garbage back.) -Kyle H On 2/8/06, Lee Colclough <[EMAIL PROTECTED]> wrote: > Fantastic response, just what I needed, thanks Kyle. > > Now, I have done as you suggested: > > The s_server tests showed a perfect XML message in the s_server window, > so that seems fine. > > The s_client test I assumed I had to run in a separate session whiles > the s_server command was still running - output looked like this: [snipped for brevity] > Which seems fine - from then on, whatever I typed in the client window > appeared in the server window, so this is ok too by the sound of it. > > One thing you did mention - ' manually generate some valid queries and > valid > answers to those queries' - did you mean manually code some soap > messages and pass them to s_client, to see what the server returns? No > problem doing this, but how do I get them into s_client? > > Thanks again, you've been a lifesaver. > > Lee. > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kyle Hamilton > Sent: 08 February 2006 14:28 > To: openssl-users@openssl.org > Subject: Re: Decryption question > > In order for a certificate to have any meaning, it must include a > public key (of whatever type), and the private key should be kept > private for that side. > > Thus, you've created three keypairs: one for the CA, one for the > server, one for the client. > > The CA's certificate is self-signed, and you've given that certificate > to both the server and the client. > > The server's certificate is signed by the CA, and you've given it to the > server. > > The client's certificate is signed by the CA, and you've given it to the > client. > > Okay. Now, I understand what you're trying to do -- you're trying to > use SOAP in place of DCOM [which, btw, I applaud :)]. There's a whole > bunch of things that can go wrong on either side -- this is where the > openssl command-line program comes in handy. > > What you want to do is manually generate some valid queries and valid > answers to those queries, because what you're going to do is fake the > server, and then fake the client. To fake the server, get the server > cert and key out and put it into a new directory, name it server.pem, > copy the CA cert to the new directory, name it CA.pem, and then type > the following: 'openssl s_server -accept (portnum) -crlf -cert > server.pem -CAfile CA.pem' (obviously, you want to replace portnum > with the actual port you're trying to use -- MAKE SURE THAT NOTHING > ELSE IS LISTENING ON IT, OR YOU WILL GET AN ERROR). > > Then, use the client to connect to it, and send a request. If it > comes through properly (i.e., you can read it), the client is > respecting the certificate that the server is sending. Hit ctrl-c to > stop the server, and then do the same line, except append '-Verify > CA.pem' to the end of it, and then perform the test again. If it > comes through, then it's not an SSL problem on the client or server > end, and you will have to look at gSOAP for the answer. > > To test what the server is sending back to the client, you use almost > the same command, except it's: 'openssl s_client -connect > hostname:port -verify CA.pem -cert client.pem -crlf -CAfile CA.pem' > > If you send a valid request via that mechanism, and it's logged as a > valid request on the server side, then your problem is in your > application (or, more specifically, its SOAP client library). > > I hope this helps you troubleshoot it. :) > > <snip> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
