I am trying to debug a problem with the browser prompting for a client certificate, and I used the following to see the details of the SSL negotiation:
# openssl s_client -connect *hostname:port* -msg I am testing 2 different scenarios and get basically the same output for both except that the first line of the output is "CONNECTED(00000003)" for one scenario and "CONNECTED(00000004)" for the other scenario. What do the codes 00000003 and 00000004 mean? This is basically the only different I can see in the output, so I believe this is the key to my problem. To give more background, I have a server where I have configured SSL client certs to be "optional". The behavior I want is that when a user makes an SSL connection via their browser, the browser should NOT prompt for a certificate unless the browser has a certificate that is in the list of "Acceptable client certificate CA names" that is sent by the server. This is working as expected when I go to my server's hostname directly in the browser e.g. https://myserver.com. However, there is also a switch and a load balancer in front of the server, and when I go through those components to get to the server, e.g. https://myswitch.com, then the browser prompts for a certificate, which I do not want it to do. When I do: # openssl s_client -connect myserver.com:443 -msg the output shows "CONNECTED(00000004)" When I do # openssl s_client -connect myswitch.com:443 -msg the output show "CONNECTED(00000003)" Other than that, the output seems to be the same. Any help would be greatly appreciated. Thanks.
