> Hello, > > In the application I'm currently working on which uses OpenSSL via > > Ruby, I seem to be having a problem with the handshake when a client > > connects to my server, though my client to their server works fine. > > From an ssldump, it appears that my server's certificate request does > > not include any certificate_authority entries. Because of this, the > > client does not send its certificate and the handshake fails. > > > > ssldump examples: > > > > Their server sends a certificate request like this: > > > > 1 4 0.2734 (0.0064) S>C Handshake > > CertificateRequest > > certificate_types rsa_sign > > certificate_types dss_sign > > certificate_authority > > C=US > > O=Equifax > > OU=Equifax Secure Certificate Authority > > certificate_authority > > C=US > > O=Equifax Secure Inc. > > CN=Equifax Secure eBusiness CA-1 > > certificate_authority > > C=US > > O=RSA Data Security, Inc. > > OU=Secure Server Certification Authority > > > > > > My server only sends this: > > > > 2 4 0.1097 (0.0000) S>C Handshake > > CertificateRequest > > certificate_types rsa_sign > > certificate_types dss_sign > > ServerHelloDone > > > > The client requires the certificate_authority information as seen in > > the first example, but I'm not sure what needs to be set to make that > > happen and a list archive search hasn't helped. In the SSL context for > > the connection I set the certificate, key, verify_mode, and ca_path. > > Am I missing something? Where does this certificate_authority > > information come from? > This is optional info and if it is not provided then client may sent > any certificate of specified type (here: RSA or DSS). > Maybe your client does not have key/cert loaded ? > Have you any errors on client or server ? > Try: > $ openssl s_client -connect ip:port -state -msg -debug > $ openssl s_client -connect ip:port -state -msg -debug -cert \ > client_crt.pem -key client_key.pem > Full SSL session ssldump will be helpful too. > > Best regards, > -- > Marek Marcola <[EMAIL PROTECTED]> > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED]
Marek, Regarding the CA information being optional in a certificate request message, RFC 2246 seems to be vague in this regard. I've been diagnosing a similar issue with a client running on IBM z/OS, and the IBM engineers are telling this client that RFC 2246 _requires_ the CA information to be present. Apparently IBM's client code considers the lack of CA information to be a fatal error. Is it the position of the OpenSSL project that the CA information is indeed "optional", and if so is it taking the "optional" stance just from the vagueness of the RFC, or am I missing something that clearly states the optionality? Is there a general consensus that this is optional, or is there disagreement on this point? Cheers, Doug ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
