> From: owner-openssl-us...@openssl.org On Behalf Of Alexandra Druecke > Sent: Tuesday, 07 August, 2012 08:02
> I'm using the attached code to connect to a server. This > works perfectly until > I had to excange the certificate which now needs two > additional intermediate > certs. All certs are merged within one file. The code can > handle certificate > chains as it is able to connect to another server with the > same certificate. > The EE cert and intermediate certs *and* privatekey, since otherwise you would have gotten errors you don't report. > I tried to connect the server with my new certificate using > openssl and it > works fine: > > openssl s_client -connect the.server.net:700 -cert myCert.pem > -CApath mycapath > s_client calls use_certificate, not use_certificate_chain, and thus uses only the EE cert from myCert.pem, ignoring others. Do you have the intermediates in mycapath (with hashlinks/names)? OpenSSL (and s_client) will use certs from CApath and/or CAfile to fill out the (client) chain. If not, apparently your servers don't need you to send the full chain; it's entirely possible a server has intermediate certs in its truststore and uses them. And these might differ because quite a few CAs, especially newer or less established one, have "cross" and/or "upgrade" certificates for/above their intermediates, giving multiple different chains, which different reliers may or may not trust. > > Summary: > > a.) myCode + myCert -- can connect to ----> server A > b.) myCode + myCert -- can't connect to --> server B > c.) openssl s_client + myCert -- can connect to ----> server A > d.) openssl s_client + myCert -- can connect to ----> server B > > For b.) I found the following error: > 3071740832:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 > alert bad > certificate:s3_pkt.c:1053:SSL alert number 42 > Use -debug to see exactly what certs s_client is sending in b, or if you are on Windows or Mac use www.wireshark.org to monitor and display b (more work to set up but easier to read), and compare it to the certs in your myCert.pem . I also notice that line number appears to be for fips-1.2.3. Is your app using a FIPS build of OpenSSL *in FIPS mode*? If so, that might affect the suites used, although your cert is apparently RSA, which is permitted in FIPS -- unless it is too few bits and something is (already?) enforcing that. I believe commandline doesn't default to FIPS mode even in a FIPS build, but I don't use it myself and am not familiar. <snip> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
