Thank you Marek,
I try with the -verify option
openssl s_client -connect localhost:8890 -CAfile trustees.pem -showcerts -state
-ssl3 -msg -verify 10
But still no SSL alerts sent even if it detects an error ... can you give me the
reason ?
see below traces:
verify depth is 10
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> SSL 3.0 Handshake [length 0053], ClientHello
01 00 00 4f 03 00 47 45 57 64 f2 82 ad 09 08 64
63 e7 96 53 c1 7c ce 32 6a 00 7f 9d bd ba bf 94
7d d7 4b 7c 16 2a 00 00 28 00 39 00 38 00 35 00
16 00 13 00 0a 00 33 00 32 00 2f 00 07 00 05 00
04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00
03 01 00
SSL_connect:SSLv3 write client hello A
<<< SSL 3.0 Handshake [length 004a], ServerHello
02 00 00 46 03 00 47 45 57 64 7a 70 90 09 b7 62
a1 1c 53 35 d3 50 bc 8a dc 20 a5 1d ad d4 26 49
6a 10 27 e7 fa 14 20 eb 12 a5 83 1f d2 59 ac dd
69 d2 79 e1 58 80 68 ee 4b be ae a5 6b ee d2 15
80 1b ab 43 7a df 03 00 35 00
SSL_connect:SSLv3 read server hello A
<<< SSL 3.0 Handshake [length 056c], Certificate
0b 00 05 68 00 05 65 00 05 62 30 82 05 5e 30 82
...
a7 f9 fd 8a 89 20 c3 2a 82 4b 6a db 02 9d d6 7a
1f 48 d5 d8 3f f9 2b ba 3d 5b 1a 78
depth=0 /C=FR/ST=IDF/L=Paris/O=AWL/OU=PSI/CN=DEN/[EMAIL PROTECTED]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=FR/ST=IDF/L=Paris/O=AWL/OU=PSI/CN=DEN/[EMAIL PROTECTED]
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=FR/ST=IDF/L=Paris/O=AWL/OU=PSI/CN=DEN/[EMAIL PROTECTED]
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< SSL 3.0 Handshake [length 0004], ServerHelloDone
0e 00 00 00
SSL_connect:SSLv3 read server done A
>>> SSL 3.0 Handshake [length 0204], ClientKeyExchange
10 00 02 00 c6 4a f3 64 e2 cd b5 30 86 4d 77 01
1b 06 03 8e 0f 53 fe 37 49 db f4 be 53 5d e5 4f
...
27 f3 99 ee ab 31 cf 4f 3c c2 23 53 46 ad 26 17
9b 02 2f 73 0f bf 17 06 9c 68 aa f1 1d 48 71 78
2c d1 7d ac
SSL_connect:SSLv3 write client key exchange A
>>> SSL 3.0 ChangeCipherSpec [length 0001]
01
SSL_connect:SSLv3 write change cipher spec A
>>> SSL 3.0 Handshake [length 0028], Finished
14 00 00 24 e1 ca 6b 19 76 15 a5 59 b2 2a cc 62
26 70 8a 6d cf 27 aa 25 7f ca 84 28 f7 98 a9 ca
34 32 30 74 a5 e7 a7 e0
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< SSL 3.0 ChangeCipherSpec [length 0001]
01
<<< SSL 3.0 Handshake [length 0028], Finished
14 00 00 24 7e 88 17 5a 04 23 79 54 e4 65 d4 f3
41 82 49 d0 10 f7 6e 6e 86 f4 87 fd fd 9b c3 22
f7 48 c6 67 6b 34 56 02
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=FR/ST=IDF/L=Paris/O=AWL/OU=PSI/CN=DEN/[EMAIL PROTECTED]
i:/C=FR/ST=IdF/L=Paris/O=AWL/OU=PSI/CN=DEN/[EMAIL PROTECTED]
-----BEGIN CERTIFICATE-----
MIIFXjCCA0YCATIwDQYJKoZIhvcNAQEFBQAwgYAxCzAJBgNVBAYTAkZSMQwwCgYD
.....
JurT5eyguwsbwmAqk4NEHrZHNm8Dlt5Mafc3vs4gsYGcSH8xGvyh4yNmTqoQMcKx
ZXC+zACsIq1PcoTpXcDsDBWrKHA9E53S8bLH329NXHJJfQsClrDp5wU58Ljk5yVJ
DG838aQvvKPyDQXaKuspK0E6mIx7mnB9/UBic8aLMgiPX1/yEHq1up0GJAHQQTsF
BZA70SbEp/n9iokgwyqCS2rbAp3Weh9I1dg/+Su6PVsaeA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=FR/ST=IDF/L=Paris/O=AWL/OU=PSI/CN=DEN/[EMAIL PROTECTED]
issuer=/C=FR/ST=IdF/L=Paris/O=AWL/OU=PSI/CN=DEN/[EMAIL PROTECTED]
---
No client certificate CA names sent
---
SSL handshake has read 1556 bytes and written 684 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID: EB12A5831FD259ACDD69D279E1588068EE4BBEAEA56BEED215801BAB437ADF03
Session-ID-ctx:
Master-Key:
69D8AA3A0C5B37119421ACF868B226CA1B47C50BEB1C58A14BD1F3BDBCC164986ABE24CF05466E83D3ADFAEE2CE98100
Key-Arg : None
Start Time: 1195726692
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Regards,
Selon Marek Marcola <[EMAIL PROTECTED]>:
> Hello,
> > I try to connect an openssl client to a ssl server.
> > I use the tool openssl s_client.
> >
> > I use the -msg option in order to qsee the different messages exchanged
> during
> > the SSL connexion.
> >
> > My purpose is to generate an SSL alert message by the client.
> > Hence I use a trustees file in client side so that the signature
> verification is
> > performed with a wrong result , which is the case (see the stream below:
> > SSL-Session:
> > Protocol : SSLv3
> > Cipher : AES256-SHA
> > Session-ID:
> 2DC601DF4A25DA207C2193AF896846BD1B0FD16B63255BD724E0E07759E66DD6
> > Session-ID-ctx:
> > Master-Key:
> >
>
AD37549969C6E77AD69954D614F452DFC2EE5670610190AAA8C2E2F08FDCEB84DCC12AF6ADF83C9040C165CBC6121E57
> > Key-Arg : None
> > Start Time: 1195662480
> > Timeout : 7200 (sec)
> > Verify return code: 7 (certificate signature failure)
> >
> > Neverthless, I do not see any SSL alert sent by the client to the server in
> the
> > traces ...
> >
> > My question is : why don't we have an SSL alert message sent by the client
> to
> > the server ? Is there an option in openssl s_client I should use ?
> >
> > Here is the command line I have used for my test:
> > openssl s_client -connect localhost:8890 -CAfile trustees.pem -showcerts
> -state
> > -ssl3 -bugs -msg
> You should add -verify flag.
>
> Best regards,
> --
> Marek Marcola <[EMAIL PROTECTED]>
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
