To find problems in the trusted certificate chain, use 'openssl s_client -connect host:port -showcerts' and then verify each certificate. (Note: if your server certificate was issued from a sub-CA rather than directly from a root, you must also ensure that you call SSL_CTX_add_extra_chain_cert(3ssl), SSL_CTX_use_certificate(3ssl), or SSL_CTX_use_certificate_chain_file(3ssl).)
For algorithm mismatch, use s_client -connect host:port -debug (and I hope you're up to date on your algorithm identifier numbers). For certificate imported in incorrect keystore... that's part of the 'trusted certificate chain' problem. OpenSSL doesn't really have a keystore unless you specify one -- its X509_STORE structure is populated primarily with SSL_CTX_load_verify_locations(3ssl). If you want to manipulate it beyond that, you're pretty much on your own -- no documentation for the X509_STORE structure exists afaik, though you can look at the manpage for SSL_CTX_get_cert_store(3ssl). I hope this helps! -Kyle H On Fri, Dec 4, 2009 at 3:04 AM, Mohan Radhakrishnan <radhakrishnan.mo...@gmail.com> wrote: > Possibly not. I meant that there could be 3 problems > 1. Algorithm mismatch > 2. Certificate imported in an incorrect keystore. > 3. No trusted certificate chain. > > Trying to home in on one of the problems. > > > Thanks, > Mohan > > On Fri, Dec 4, 2009 at 4:24 PM, Mohan Radhakrishnan > <radhakrishnan.mo...@gmail.com> wrote: >> Hi, >> >> We see this message "no available certificates or key >> corresponding to the cipher suites" even before establishing a >> handshake. It is a mutual handshake. So keystores and truststores are >> there on both sides. Algorithms are RSA. >> >> Could this be caused due to a RSA bit size mismatch ? Would this error >> message be caused if one pair of keystore and truststore use 2048 and >> the other pair of keystore and truststore use 1024 ? Please share your >> experience. >> >> >> Thanks, >> Mohan >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
