Re: certificate_authority in handshake?

Wed, 22 Aug 2007 10:11:46 -0700 

Hello,
> In the application I'm currently working on which uses OpenSSL via
> Ruby, I seem to be having a problem with the handshake when a client
> connects to my server, though my client to their server works fine.
> >From an ssldump, it appears that my server's certificate request does
> not include any certificate_authority entries. Because of this, the
> client does not send its certificate and the handshake fails.
> 
> ssldump examples:
> 
> Their server sends a certificate request like this:
> 
> 1 4  0.2734 (0.0064)  S>C  Handshake
>       CertificateRequest
>         certificate_types                   rsa_sign
>         certificate_types                   dss_sign
>         certificate_authority
>           C=US
>           O=Equifax
>           OU=Equifax Secure Certificate Authority
>         certificate_authority
>           C=US
>           O=Equifax Secure Inc.
>           CN=Equifax Secure eBusiness CA-1
>         certificate_authority
>           C=US
>           O=RSA Data Security, Inc.
>           OU=Secure Server Certification Authority
> 
> 
> My server only sends this:
> 
> 2 4  0.1097 (0.0000)  S>C  Handshake
>       CertificateRequest
>         certificate_types                   rsa_sign
>         certificate_types                   dss_sign
>       ServerHelloDone
> 
> The client requires the certificate_authority information as seen in
> the first example, but I'm not sure what needs to be set to make that
> happen and a list archive search hasn't helped. In the SSL context for
> the connection I set the certificate, key, verify_mode, and ca_path.
> Am I missing something? Where does this certificate_authority
> information come from?
This is optional info and if it is not provided then client may sent
any certificate of specified type (here: RSA or DSS).
Maybe your client does not have key/cert loaded ?
Have you any errors on client or server ?
Try:
 $ openssl s_client -connect ip:port -state -msg -debug
 $ openssl s_client -connect ip:port -state -msg -debug -cert \
         client_crt.pem -key client_key.pem
Full SSL session ssldump will be helpful too.

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to