Hi all, I am still getting the same error: 7(Certificate Signature Failure)
@Sandeep : I am using following commands for server and client respectively. openssl s_server -accept 9000 -cert ~/certs/server.pem openssl s_client -connect localhost:9000 @Goetz - Well, I hope I am doing it. But maybe I dont get your point quite clearly. This is what I do(names changed) $> openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr I hope this is enough. But I dont provide any such argument of certificates at the client end. Do I need to? However initially when I encountered this error I created a several certificate for client. Using the same procedure the way I created the server certificate. @Dave : I think you have a same point as Goetz. I think we all are on the same pitch but something somewhere is definitely wrong. I am sorry that I took so much of time to reply. I was writing a small code to test the same client/server communication. But no good. Thank you everyone, -Vishal On Thu, Aug 20, 2009 at 7:56 PM, Dave Thompson < dave.thomp...@princetonpayments.com> wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of vishal saraswat > > Sent: Tuesday, 18 August, 2009 07:44 > > > I am sorry, I forgot to tell you that the final PEM I create > > is composed of key and certificate both. > > cat server_key.pem server server_cert.pem > server.pem > > I read on some blogs that some server require both to be in one > file > > > that why to be on safer side I started following this practice. I hope > its > fine. > > It's OK. OpenSSL commandline does not require this, but does allow it. > > > Now I suppose that one a client is successfully connected > > it should return me code as 0 and an OK message. Right? > > But I get return value as 7(Certificate Signature Failure), > > 21(Unable to verify the first certificate.) > > Signature failure? Not just "unable to get issuer"? > > To verify, any client does need to have available the CA cert > that signed the cert the server uses. In the general case with > the client on a different machine than the server this must be > a copy, and thus you need to make sure the right file (version) > gets copied, but for loopback testing you can use the same file(s). > > s_client supports two ways: a single file containing either one CAcert > or several concatenated, specified with -CAfile; or a directory specified > by -CApath that contains a file for each CA cert with its filename or > a symlink to it using the hash of the cert's name, allowing lookup. > > In your earlier email s_client specified neither of these and should > have gotten 20 unable to get local issuer cert (and 21 unable to verify). > I think the only way you should get signature failure is if > you give s_client a CAcert which is for the correct CA name > but has a different public key. Perhaps, if you've tried this > (sort of) test several times, the file from an earlier iteration. > > > p.s. - Can I connect multiple s_client to a single s_server ? > > In sequence, but not concurrently. For that you need a real server. <G> > > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
