Re: how to avoid "No client certificate CA names sent" with s_server?

Wed, 29 Aug 2007 06:55:08 -0700 

Hello,
> both with openssl, I am trying to have a server and client that perform
> client certificate authentication.
> 
> So, I start the server as follows:
>    openssl s_server -www -key /dir/server-key.pem -cert /dir/server-cert.pem
> -CAfile /dir/cacert.pem -state
> 
> and as per the previous posts on the list, the CAfile is not empty since
>   openssl x509 -in /dir/cacert.pem -noout -text
> gives nice output.
> 
> Then, I connect from a different shell window on the same server with 
> 
>    openssl s_client -connect localhost:4433 -cert /dir/clientCert.pem -key
> /dir/ClientCertKey.pem -CAfile /dir/server-cert.pem
> 
> and I get asked for my key's password.
> 
> /dir/cacert.pem and /dir/clientCert.pem are identical since it is a
> self-signed client certificate.
> 
> Then a connection is established successfully, but I see the
> 
>    "No client certificate CA names sent"
> 
> Then I do a 
>    R
> on the client side since that ought request the client certificate as per
> http://openssl.org/docs/apps/s_server.html#CONNECTED_COMMANDS, but no
> change.
> 
> Also, when doing "GET /" there is not hint a client certificate
> authentication has happened.
> 
> Is there any other option I have overlooked to tell s_server it really
> should ask for a client certificate?
> 
> Many thanks for any hints in advance!
You should add -verify/-Verify option.
If you use -state option then you may observe packet exchange.
Server request certificate from client sending "certificate request"
packet. This packet is send only when verify is on.
When server do not need to authenticate client - this packet is not
sent.

Option -verify requires certificate from client, but SSL connection
is established even that client does not return certificate.
Option -Verify requires certificate from client, but SSL connection
is NOT established if client does not return certificate.

For example:

$ openssl s_server -key key.pem -cert crt.pem -CAfile cacert.pem \
        -state -verify 10
verify depth is 10
....
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write certificate request A  <-- request for certificate
SSL_accept:SSLv3 flush data
SSL_accept:SSLv3 read client certificate A <-- client certificate expected, but 
not returned
SSL_accept:SSLv3 read client key exchange A     but this is accepted in this 
case
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
....
CIPHER is DHE-RSA-AES256-SHA <-- connection successful

$ openssl s_server -key key.pem -cert crt.pem -CAfile cacert.pem \
        -state -Verify 10
verify depth is 10, must return a certificate
....
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write certificate request A  <-- request for certificate
SSL_accept:SSLv3 flush data
SSL3 alert write:fatal:handshake failure
SSL_accept:error in SSLv3 read client certificate B <-- client certificate 
expected, but not returned
SSL_accept:error in SSLv3 read client certificate B     not accepted in this 
case
....
ERROR <-- connection failed.

$ openssl s_server -key key.pem -cert crt.pem -CAfile cacert.pem \
        -state -Verify 10
verify depth is 10, must return a certificate
....
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write key exchange A
SSL_accept:SSLv3 write certificate request A <- request for certificate
SSL_accept:SSLv3 flush data
depth=1 /C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom CA/CN=Malkom Certificate 
Authority/[EMAIL PROTECTED]
verify return:1
depth=0 /C=PL/ST=Warsaw/L=Warsaw/O=Malkom/OU=Malkom Admin/CN=VPN Server
verify return:1
SSL_accept:SSLv3 read client certificate A  <- client certificate returned
SSL_accept:SSLv3 read client key exchange A
SSL_accept:SSLv3 read certificate verify A <-- some data signed with client 
private key
SSL_accept:SSLv3 read finished A
SSL_accept:SSLv3 write change cipher spec A
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
....
CIPHER is DHE-RSA-AES256-SHA  <- connection successful 

Best regards,
-- 
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to