Hello, > I am trying to debug a problem with the browser prompting for a client > certificate, and I used the following to see the details of the SSL > negotiation: > > # openssl s_client -connect hostname:port -msg > > I am testing 2 different scenarios and get basically the same output > for both except that the first line of the output is > "CONNECTED(00000003)" for one scenario and "CONNECTED(00000004)" for > the other scenario. What do the codes 00000003 and 00000004 mean? This > is basically the only different I can see in the output, so I believe > this is the key to my problem. > > To give more background, I have a server where I have configured SSL > client certs to be "optional". The behavior I want is that when a user > makes an SSL connection via their browser, the browser should > NOT prompt for a certificate unless the browser has a certificate that > is in the list of "Acceptable client certificate CA names" that is > sent by the server. > > This is working as expected when I go to my server's hostname directly > in the browser e.g. https://myserver.com. > > However, there is also a switch and a load balancer in front of the > server, and when I go through those components to get to the server, > e.g. https://myswitch.com, then the browser prompts for a certificate, > which I do not want it to do. Probably this is not request for certificate but DN host name conflict. If your server has CN=myserver.com and your load balancer switches tcp connections then browser connects to myswitch.com but in certificate you have myserver.com and browser is asking you whether it is acceptable. My guess. > When I do: > # openssl s_client -connect myserver.com:443 -msg > the output shows "CONNECTED(00000004)" > > When I do > # openssl s_client -connect myswitch.com:443 -msg > the output show "CONNECTED(00000003)" This is tcp socket number/file descriptor. In first case, fd 3 is used for some reason and next fd 4 is allocated. You may look at lsof output for fd 3 usage.
Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
