Figured out the problem: Internet Explorer. I should have guessed. In IE's security settings, the default for the Internet zone has the setting "Don't prompt for client certificate when no certificates or only one certificate exists" set to "Disabled". However, the default for the Local intranet zone has that set to "Enabled".
>From the browser I was testing with, https://myserver.com was part of the Local intranet zone, so IE didn't prompt for a client certificate. https://myswitch.com was part of the Internet zone, so IE did prompt for a client certificate. So it looks like the CONNECTED(...) had nothing to do with it. Thanks all for your help! On 10/3/07, Amy McIntyre <[EMAIL PROTECTED]> wrote: > > Thanks for your comments. > > I do not think it has anything to do with a DN hostname mismatch. It is > true that your browser will give you warning if the CN in the SSL server > certificate does not match the hostname you are requesting, but this doesn't > affect whether you are prompted for a client certificate. > > To be sure, I can go to https://<ip_address_of_myserver.com> and it > behaves the same as if I go to https://myserver.com (that is, the browser > does not prompt for a client cert). It is only when I go through the switch > and load balancer, that it prompts for the client cert. > > Thanks for the info on the file descriptor. I'll have to look more into > this. > > > On 10/3/07, Marek Marcola <[EMAIL PROTECTED]> wrote: > > > > Hello, > > > I am trying to debug a problem with the browser prompting for a client > > > certificate, and I used the following to see the details of the SSL > > > negotiation: > > > > > > # openssl s_client -connect hostname:port -msg > > > > > > I am testing 2 different scenarios and get basically the same output > > > for both except that the first line of the output is > > > "CONNECTED(00000003)" for one scenario and "CONNECTED(00000004)" for > > > the other scenario. What do the codes 00000003 and 00000004 mean? This > > > is basically the only different I can see in the output, so I believe > > > this is the key to my problem. > > > > > > To give more background, I have a server where I have configured SSL > > > client certs to be "optional". The behavior I want is that when a user > > > makes an SSL connection via their browser, the browser should > > > NOT prompt for a certificate unless the browser has a certificate that > > > is in the list of "Acceptable client certificate CA names" that is > > > sent by the server. > > > > > > This is working as expected when I go to my server's hostname directly > > > > > in the browser e.g. https://myserver.com. > > > > > > However, there is also a switch and a load balancer in front of the > > > server, and when I go through those components to get to the server, > > > e.g. https://myswitch.com, then the browser prompts for a certificate, > > > which I do not want it to do. > > Probably this is not request for certificate but DN host name conflict. > > If your server has CN=myserver.com and your load balancer switches tcp > > connections then browser connects to myswitch.com but in certificate > > you have myserver.com and browser is asking you whether it is > > acceptable. My guess. > > > > > When I do: > > > # openssl s_client -connect myserver.com:443 -msg > > > the output shows "CONNECTED(00000004)" > > > > > > When I do > > > # openssl s_client -connect myswitch.com:443 -msg > > > the output show "CONNECTED(00000003)" > > This is tcp socket number/file descriptor. > > In first case, fd 3 is used for some reason and next fd 4 is allocated. > > You may look at lsof output for fd 3 usage. > > > > Best regards, > > -- > > Marek Marcola < [EMAIL PROTECTED]> > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > >
