Hi, expert,
we have a server which has a self signed certificate, however when we tried
to use openssl to connect to server, the server certification verification
is always failing. So I used s_client command to try to find out why it is
failing. Here is what I got at command line:
C:\OpenSSL-Win32\bin>openssl s_client -connect ip-0a503ddf:443 -CAfile
"<path to ca file>\serverCert.pem" -showcerts
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
Loading 'screen' into random state - done
CONNECTED(00000140)
depth=0 CN = ip-0A503DDF
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = ip-0A503DDF
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=ip-0A503DDF
i:/CN=ip-0A503DDF
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIQJQc9680btI5IWfCzPBmCCjANBgkqhkiG9w0BAQUFADAW
MRQwEgYDVQQDEwtpcC0wQTUwM0RERjAeFw0xMTA4MTQwMTA3MzRaFw0xNjA4MTQw
MTA3MzRaMBYxFDASBgNVBAMTC2lwLTBBNTAzRERGMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAqBW+gBetxfVIgA8RwY+4Wt8n4uJ5YNjVXu2q2ruZ3eDK
ZfWt/Gp9XJcb86D4+oMrIPpsD2oPqxP5hCs9WjmKoyXfehgzzBE7ye5NON5CyQNZ
7RNMEF9y3hwVo7EgJAWqOdlwNXay6Hy2HXiMDk0FA0qgU5KBEgYoz4NBVNnD5Faa
yy9pPuZTOnFsaI2C6w52cXRwdYbPpHFALwOa8/jGe9OAfSPuJQ18i9kDXTa3zbM0
/ILSsFE+U2Doz12ETkb+Qv+7Qo57HwYF0NQXF5rdzf4jwtBkvxoE9rqpO9ImOcJ2
9/zQ4nsowMDJEXwqk0AGV048s8wf8+4dLZY1sBzzfwIDAQABo2wwajAOBgNVHQ8B
Af8EBAMCBaAwNQYDVR0RBC4wLIILaXAtMEE1MDNEREaCHWlwLTBBNTAzRERGLm1h
YXMzNjBkejAxLmxvY2FsMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwDQYJKoZIhvcNAQEFBQADggEBAD1XVc5F2/Ki3mk+pBJLSwaDZRj2E9o9bS6X
F0rGF6agPPCDCGZyQTuMJEgx5w/0EGDamSBoZ6Ikg14E7OP5HJoPuxEYI6AU39/F
j6wBSPSFFGr38xhWsoYfk19Og+GrhdWTeExboMuTtzfFwRG81yhmx3Wsxe3S56Y4
qdpkUuGnc8A1oUgBUbRymD9SDjCc4Wh3jel8M+w9lF7kKF8jYvfcUpxsqw74TwnP
NGHeAy6Rg7iVtmQTRTJC+OM/WAKm71kwnd0MKf+4SLFp7eFB2TZmZQyRDggUSx6U
tkGjjmxoGzfh26No7qchS6rr4SvjbVDjy267AnJFicpLc199tpc=
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ip-0A503DDF
issuer=/CN=ip-0A503DDF
---
No client certificate CA names sent
---
SSL handshake has read 965 bytes and written 536 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID:
423E0000C3A794FD33F0A37B4887D4719C8755391C89FEFD59292EEC25FF905E
Session-ID-ctx:
Master-Key:
21CB9140CDDD29799B2F18D8B28B480FCEC2AFC239088DCCB41D93111365EEFE
8D19873F2EF9E7093B5C3D2B0198D78C
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1329767371
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Attached is the ca file which has the self signed cert
http://old.nabble.com/file/p33359051/serverCert.pem serverCert.pem . We
used self signed cert before and we didn't see any verification issues
before. I am thinking that it might be that openssl doesn't like this self
signed cert for some reasons, however after inspection of the cert, I could
not find anything wrong with self signed cert. Could someone shed some
lights on this?
--
View this message in context:
http://old.nabble.com/self-signed-cert-verification-is-failed-tp33359051p33359051.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
