Hi there, I'm facing 'Unkown CA' error during ssl handshake messages between client(a network device) and server (pound). sorry am not much familiar with openssl library usage but setting up the pound reverse proxy which use openssl 0.9.8 on redhat linux.
Done a lot of googling but no clear pointers were available yet. Please can anybody mention all possible list of causes behind this error. This error is (thrown by server to client) observed in wireshark. This happens immediately after client sends 'Finished'. Observation: A wireshark debug log (using RSA private key) shows me client and server agreed on cipher sent by client cipher list(1). However openssl cipher command (one of 'AES' i think TLS_DH_RSA_WITH_AES_128_CBC_SHA agreed by client/server) doesn't show up this cipher. Am not suspecting (so eagerly) unknown ca error is just because of this as i may have also done any other mistake. Hence mentioning all steps followed here. Pls correct me in case. 1. Generated private key (not passphrase protected), csr using openssl with a copy of openssl.cnf in a custom directory. this cnf file barely filled with required fields (like OU, CN etc) in 2 mandatory sections as mentioned in man age. 2. Received tgz which contains ca, intermediate and server certificate (for test purpose which have a month expiry) from own organization CA. 3. As part of setup of this certificates on server, struggling while following not so clear man page of pound and openssl. 4. Appended private key to server certificate 5. Appended intermediate cert to ca cert to make chain cert. 6. Verified all certificates using openssl verify command which says OK post copying ca, oem cert (and hash'd.0 ) to openssl certs directory. Here tried various things hashing on individual ca, oem within certs directory so root or ca certificate can be locatable and trustable! There was no clear documentation on this crucial step. Not sure if this hash has to happen on chained cert only or on individual ca, intermediate(oem) certificate only as mentioned in other sources. 7.Then applied openssl -addtrust command on ca certificate. 8.Now tested using pound https listener with all certs, trust available/a network device which makes https request to pound https listener which use the server and ca (or chain!) certificate in ssl certs directory!! All these tests resulted unknown ca error whenever client certificate verification is enabled. 9. Also tested various other methods unsuccessfully like openssl s_server/s_client and s_server/browser. Though these are not going to be effective as client certificate will not be sent by them as pound ssl listener demands !! I see the wireshark showing client sending hello, server hello done, client sends its certificate for verification, cypher spec, key exchange etc and finally mac done and sending 'Finished' from its final part of handshake. However Server immediately sends this unknown ca error to client. So assuming either server not configured with ca or chain properly or not locatable or not available in any trust store (should i have to use java like keytool to store and point to?). Here different sites mentioned different things but not sure on any. Another source mentioned client certificate which contain public key should be stored in server in advance so server can trust who is communicating in advance(to counter part man in the middle attack). Also another suggestion to add crl to ca certificate. Checked other possible issues like date/time differences, permissions, openssl big default trust cert file is appended with our root certificate etc. Not sure on how to verify 'extended' part of client certificate if it contains required attribute/values. Does installation of root or chain certificate involve just copying files into ssl certs directory? Should we mandatorily use openssl.cnf removing comments on critical sections and init!? A help or pointers will be greatly appreciated. Pls mention any master list of causes for this error? Need to mention client(device) certificate is also created by own organization as part of factory installation. So not doubting on trust or other part of certificate information. Best regards. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
