The switch and load balancer do not have their own SSL server certificate. In the browser, when I view the certificate, I can see that I am getting the SSL certificate from the back-end server "myserver".
The switch and load balancer SHOULD be configured such that the SSL session terminates at the backend server, rather than at the switch or LB. However, I am definitely suspicious of the switch/LB configuration. I am hoping that finding out the difference between the 00000003 and 00000004 codes will give me a clue as to what is wrong with the configuration. On 10/3/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Amy, > > Does your switch / load balancer have it's own SSL certificate? Otherwise, > the load balancer would be presenting the myserver.com certificate, which > would not match myswitch.com. Also, if the switch / local balancer is > protocol based, you might be doing something like: client connects via > SSL to switch/balancer which decrypts the packets to examine them, > re-encrypts the packets and connects via SSL to myserver.com, so the > client SSL connection is really to the switch/balancer, not your true back > end. > > Dan > > > > Please respond to openssl-users@openssl.org > Sent by: [EMAIL PROTECTED] > To: openssl-users@openssl.org > cc: (bcc: Dan Mitton/YD/RWDOE) > Subject: CONNECTED(00000003) vs CONNECTED(00000004) > LSN: Not Relevant > User Filed as: Not a Record > > I am trying to debug a problem with the browser prompting for a client > certificate, and I used the following to see the details of the SSL > negotiation: > > # openssl s_client -connect hostname:port -msg > > I am testing 2 different scenarios and get basically the same output for > both except that the first line of the output is "CONNECTED(00000003)" for > one scenario and "CONNECTED(00000004)" for the other scenario. What do the > codes 00000003 and 00000004 mean? This is basically the only different I > can see in the output, so I believe this is the key to my problem. > > To give more background, I have a server where I have configured SSL > client certs to be "optional". The behavior I want is that when a user > makes an SSL connection via their browser, the browser should NOT prompt > for a certificate unless the browser has a certificate that is in the list > of "Acceptable client certificate CA names" that is sent by the server. > > This is working as expected when I go to my server's hostname directly in > the browser e.g. https://myserver.com. > > However, there is also a switch and a load balancer in front of the > server, and when I go through those components to get to the server, e.g. > https://myswitch.com, then the browser prompts for a certificate, which I > do not want it to do. > > When I do: > # openssl s_client -connect myserver.com:443 -msg > the output shows "CONNECTED(00000004)" > > When I do > # openssl s_client -connect myswitch.com:443 -msg > the output show "CONNECTED(00000003)" > > Other than that, the output seems to be the same. > > Any help would be greatly appreciated. Thanks. > > >
