Dear Lutz, Thanks once again for your patience. It now seems to me that we are on the the same level of thinking as far as the problem is concerned.
------------------------------------------------------------------------------------------------------------- Quoted text (from your mail): ========== "Most likely the CA certificate needed (which is identical to the server certificate as it is self signed :-) is missing from your configuration." ------------------------------------------------------------------------------------------------------------- Query: ---------- At this point I am stuck with how/ where to set the server certificate in my configuration. Note: I have obtained the server certificate using the command line tool (as shown below) openssl s_client -connect remote_server.com:8444| tee logfile Regards, Vishal Vashishta Tata Consultancy Services Mailto: [EMAIL PROTECTED] Website: http://www.tcs.com Lutz Jaenicke <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 06/15/2007 05:12 PM Please respond to openssl-users@openssl.org To openssl-users@openssl.org cc Subject Re: SSL: Not Able to Connect with Secure Site from C++ / Solaris Vishal V wrote: > > Dear Lutz, > Thanks for the insight. Well it took about 1 minute after which the > connection got closed. So that means the connection got timed out > ----------------------------------------------------------------------------------------------------------------------------- > > And Please see below the output for the command below. > ------------------------------------------------------------------------------------------------------------------------------ > > COMMAND: [EMAIL PROTECTED]:/home/Me/test>openssl s_client -connect > remote_server. com:8444 > ------------------------------------------------------------------------------------------------------ > > CONNECTED(00000004) > depth=0 /C=US/ST=London/L=Palace House/O=ABCbank/OU=ZIT-A CMA BOS > (2.3.5.1)/CN=shsvd3a.gde > verify error:num=18:self signed certificate > verify return:1 > depth=0 /C=UK/ST=London/L=Palace House/O=ABCbank/OU=ZIT-A CMA BOS > (2.3.5.1)/CN=shsvd3a.gde > verify return:1 > --- > Certificate chain > 0 s:/C=UK/ST=London/L=Sherborne House/O=ABCbank/OU=ZIT-A CMA BOS > (2.3.5.1)/CN=shsvd3a.gde > i:/C=UK/ST=London/L=Palace House/O=ABCbank/OU=ZIT-A CMA BOS > (2.3.5.1)/CN=shsvd3a.gde > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIICgDCCAekCBETYvTYwDQYJKoZIhvcNAQEEBQAwgYYxCzAJBgNVBAYTAlVLMQ8w > DQYDVQQIEwZMb25kb24xGDAWBgNVBAcTD1NoZXJib3JuZSBIb3VzZTEUMBIGA1UE > ChMLQ29tbWVyemJhbmsxIDAeBgNVBAsTF1pJVC1BIENNQSBCT1MgKDIuMy41LjEp > MRQwEgYDVQQDEwtzaHN2ZDNhLmdkZTAeFw0wNjA4MDgxNjM1MDJaFw0yMzAxMTEx > NjM1MDJaMIGGMQswCQYDVQQGEwJVSzEPMA0GA1UECBMGTG9uZG9uMRgwFgYDVQQH > Ew9TaGVyYm9ybmUgSG91c2UxFDASBgNVBAoTC0NvbW1lcnpiYW5rMSAwHgYDVQQL > ExdaSVQtQSBDTUEgQk9TICgyLjMuNS4xKTEUMBIGA1UEAxMLc2hzdmQzYS5nZGUw > gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqFdZrLVDXMgrnX7ne6IfRqo38C > ODn2vXMiy+khDVLUDxPh0qsMmV03loPhzwLNviBhxxamiBbtsXXe6ztXf09LOmtu > g4UTQUXuBTaBqsOivqZBmr2Nxaq9j7Ma3dVG+dAsgfSgzn5h78sWfQkD+hX6DCXR > xFxP2Ls1wrnJ5Ia9AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAgfOx7UeISfuw04OU > EC4Ur5uNPE2kQ92KSNgLRJMZ/xQYjZVmCWSOEJVO+NrLWuO6Mv86cnKPLBWnCRFe > GYm9EIbMKDExs8QWU0+gYkUHBHjtWbMYIeiFNUFBQvr+rqINdci2L52jRbLeWPgY > HK+zxEoiBFpbDEciVFUzyq1XTeA= > -----END CERTIFICATE----- > subject=/C=UK/ST=London/L=Palace House/O=ABCbank/OU=ZIT-A CMA BOS > (2.3.5.1)/CN=shsvd3a.gde > issuer=/C=UK/ST=London/L=Palace House/O=ABCbank/OU=ZIT-A CMA BOS > (2.3.5.1)/CN=shsvd3a.gde > --- > No client certificate CA names sent > --- > SSL handshake has read 1185 bytes and written 338 bytes > --- > New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA > Server public key is 1024 bit > SSL-Session: > Protocol : TLSv1 > Cipher : EDH-RSA-DES-CBC3-SHA > Session-ID: > 46726624C4EB38AE5973400F43D1FFEBD885BD16DD48F5DBAE4139F20421FAA0 > Session-ID-ctx: > Master-Key: > E94EEF3AF384401AE38F2777EF80C490D83F9846F9949E226C6386273E552ED74B3E5CB55D92AF751A423F3341E9970A > > Key-Arg : None > Start Time: 1181902372 > Timeout : 300 (sec) > Verify return code: 18 (self signed certificate) > --- > QUIT > DONE > ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Judging from this output your network connection to the remote site is ok. The remote site is able to speak SSL as well, as it seems. It does not seem to request a client certificate (you have been allowed to connect. However: s_client has not been able to verify the server's certificate but as no strict policy to enforce checking of the certificate is set in s_client. In another mail the error message was: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed indicating that your client enforces verification of the server certificate. Most likely the CA certificate needed (which is identical to the server certificate as it is self signed :-) is missing from your configuration. Best regards, Lutz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ForwardSourceID:NT00016192 =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
