I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server.
Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent from the docs for the s_client command, –cert option says: -cert certname The certificate to use, if one is requested by the server. The default is not to use a certificate. My guess from this is that this command is referring to the CLIENT SSL certificate - no? If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate. The client certificate is also signed by the same CA self-signed certificate. Apache error logs give me this: [Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request Which is about as useful as the openssl docs are.I am also seeing this in openssl’s s_client output:verify error:num=19:self signed certificate in certificate chainFrom what I think I understand, this should not be a showstopper problem as all root CA certs would naturally be self-signed no?Full output of this operation with the –showcerts command is attached for reference.I have read through many forum examples of how to do this and it seems simple enough but then when it doesn’t work, figuring out what things MEAN and how to address what is wrong proves to be be very difficult indeed.
httpd-ssl.conf
Description: Binary data
CONNECTED(00000190)
---
Certificate chain
0 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com
i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz
Root CA
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIBCjANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJLWTEV
MBMGA1UECBMMR3JhbmQgQ2F5bWFuMRQwEgYDVQQHEwtHZW9yZ2UgVG93bjEQMA4G
A1UEChMHQ2FzaFdpejEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD0Nh
c2hXaXogUm9vdCBDQTAeFw0xMjExMTMxNzI5NDBaFw0yMjExMTExNzI5NDBaMGwx
CzAJBgNVBAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xEDAOBgNVBAoTB0Nh
c2hXaXoxFDASBgNVBAsTC0RldmVsb3BtZW50MR4wHAYDVQQDExV3d3cucGF3bm1h
c3RlcnByby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTp1dY
GOY2ew6O7CbHvokVMSYNYv/uBghjeO3hP2FVXQSCfPWk4NpCh1ve8vu9kUgZ6Ezh
slTSn7FM5RlG3NoOx1XnVkJNQ30cRX7oi01l1vwXHPvxn+dq0gJzGofamSYv6Hkm
X+zhqhiK37GFmHG5gVZVKg84fEOV10WI+9j6SuOoVg646Rsu91Q3ZYW+v08ucmrC
ZfoeuxXwZ/6kJkn8PkRb0RAgy20UMkYTPj7dgC5HkVlDdldJ1+IxegNGG0pMM6SW
E6J08mAOs4t2wZ+oybtQZ4+2aeKylMUb/EEDBkSh+bab9k4fe48cmBxj4mnumajx
b5pkm3d8HXOk1N5nAgMBAAGjeDB2MAkGA1UdEwQCMAAwHQYDVR0OBBYEFL5T2NTf
xfmf3exS2OZB+t8ghcZ/MB8GA1UdIwQYMBaAFFRJfotvTu3PmEaV9+qJf95MmP1e
MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBkAwCQYDVR0RBAIwADANBgkq
hkiG9w0BAQQFAAOCAQEAXlG4az+P/JrtNVgLux67FMQomimcppYVqkPS/HgERZvp
VUhTxWClKqC+wQ4RS90VtjcMGQs7iPL5D+563u0CudBaXz3QK7oVInGLAqEIEhfa
Si/S6tKA8bxeujKY5GnppRfV9DcTYIjX1eCLx+n8neI9gwiaKgXV8XLIQoE8g/r6
3Dsfn/uLatQZM7a+V8U/JtF/fGHP81M1D2aqG2JmSayZ9gMgwPAPqI3OdGRsCDqj
zTI3z6XomblD1cUdEepMCxnhRHsGVaVXOY0ubM1zWB3b92pVDsKV8TwAlzeijGE1
vAVRptr58jAQXVIN0M3HzmtneHulvOP7UFu2Ozm4OQ==
-----END CERTIFICATE-----
1 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com
i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz
Root CA
-----BEGIN CERTIFICATE-----
MIID2zCCAsOgAwIBAgIBCjANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJLWTEV
MBMGA1UECBMMR3JhbmQgQ2F5bWFuMRQwEgYDVQQHEwtHZW9yZ2UgVG93bjEQMA4G
A1UEChMHQ2FzaFdpejEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD0Nh
c2hXaXogUm9vdCBDQTAeFw0xMjExMTMxNzI5NDBaFw0yMjExMTExNzI5NDBaMGwx
CzAJBgNVBAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xEDAOBgNVBAoTB0Nh
c2hXaXoxFDASBgNVBAsTC0RldmVsb3BtZW50MR4wHAYDVQQDExV3d3cucGF3bm1h
c3RlcnByby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTp1dY
GOY2ew6O7CbHvokVMSYNYv/uBghjeO3hP2FVXQSCfPWk4NpCh1ve8vu9kUgZ6Ezh
slTSn7FM5RlG3NoOx1XnVkJNQ30cRX7oi01l1vwXHPvxn+dq0gJzGofamSYv6Hkm
X+zhqhiK37GFmHG5gVZVKg84fEOV10WI+9j6SuOoVg646Rsu91Q3ZYW+v08ucmrC
ZfoeuxXwZ/6kJkn8PkRb0RAgy20UMkYTPj7dgC5HkVlDdldJ1+IxegNGG0pMM6SW
E6J08mAOs4t2wZ+oybtQZ4+2aeKylMUb/EEDBkSh+bab9k4fe48cmBxj4mnumajx
b5pkm3d8HXOk1N5nAgMBAAGjeDB2MAkGA1UdEwQCMAAwHQYDVR0OBBYEFL5T2NTf
xfmf3exS2OZB+t8ghcZ/MB8GA1UdIwQYMBaAFFRJfotvTu3PmEaV9+qJf95MmP1e
MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBkAwCQYDVR0RBAIwADANBgkq
hkiG9w0BAQQFAAOCAQEAXlG4az+P/JrtNVgLux67FMQomimcppYVqkPS/HgERZvp
VUhTxWClKqC+wQ4RS90VtjcMGQs7iPL5D+563u0CudBaXz3QK7oVInGLAqEIEhfa
Si/S6tKA8bxeujKY5GnppRfV9DcTYIjX1eCLx+n8neI9gwiaKgXV8XLIQoE8g/r6
3Dsfn/uLatQZM7a+V8U/JtF/fGHP81M1D2aqG2JmSayZ9gMgwPAPqI3OdGRsCDqj
zTI3z6XomblD1cUdEepMCxnhRHsGVaVXOY0ubM1zWB3b92pVDsKV8TwAlzeijGE1
vAVRptr58jAQXVIN0M3HzmtneHulvOP7UFu2Ozm4OQ==
-----END CERTIFICATE-----
2 s:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz
Root CA
i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz
Root CA
-----BEGIN CERTIFICATE-----
MIIEiTCCA3GgAwIBAgIJALJPy4qRrG2uMA0GCSqGSIb3DQEBBQUAMHwxCzAJBgNV
BAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xFDASBgNVBAcTC0dlb3JnZSBU
b3duMRAwDgYDVQQKEwdDYXNoV2l6MRQwEgYDVQQLEwtEZXZlbG9wbWVudDEYMBYG
A1UEAxMPQ2FzaFdpeiBSb290IENBMB4XDTEyMTExMzE3MjkzNVoXDTEyMTIxMzE3
MjkzNVowfDELMAkGA1UEBhMCS1kxFTATBgNVBAgTDEdyYW5kIENheW1hbjEUMBIG
A1UEBxMLR2VvcmdlIFRvd24xEDAOBgNVBAoTB0Nhc2hXaXoxFDASBgNVBAsTC0Rl
dmVsb3BtZW50MRgwFgYDVQQDEw9DYXNoV2l6IFJvb3QgQ0EwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCrxuoK9JQgo0tpkX1cDC6QgtfMcsC8PtvVlGfX
bjT8sb3wzY/IXvhJ4D0tUD4Sjr+naMjdKI5zZd1jKQe/iUGh6hRFwlEeQ3FgisTf
csdNOJ0K95CDkdu+j32sAPMkvb24zCr0bKxPe83xpLBRA0OsXqD8AOg+G7jgItNy
LLwedtjvfmgVv/aAo+Yf6azYb03LCwljbCDJQIzR2ne2ky1RqYF7iJuErmgovXnb
8MP4rFo7rhwymGRdEMtecYdf2rpJL/Fd5sHJC3gpSqsB9EuKA/dN3gbFIWQsOtzK
BxKsakcD6tk9VU2kwTyRDXRP7gSJJamFqAqagz/pdSKHZ6P5AgMBAAGjggEMMIIB
CDAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRUSX6Lb07tz5hGlffqiX/eTJj9XjCB
rwYDVR0jBIGnMIGkgBRUSX6Lb07tz5hGlffqiX/eTJj9XqGBgKR+MHwxCzAJBgNV
BAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xFDASBgNVBAcTC0dlb3JnZSBU
b3duMRAwDgYDVQQKEwdDYXNoV2l6MRQwEgYDVQQLEwtEZXZlbG9wbWVudDEYMBYG
A1UEAxMPQ2FzaFdpeiBSb290IENBggkAsk/LipGsba4wEQYJYIZIAYb4QgEBBAQD
AgIEMAkGA1UdEQQCMAAwCQYDVR0SBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAjFf6
AAAPFESUVer4IZ6c0+ZwwvNIXHSrHpCGeWJvpjmgfpag8U18xIcvYbxGxx1cAup9
vSZWHH8LXq9UC+CLrLlO+sjcPtOKqu/gfgqMLasAXOsR+u8iTAjmruVVhHhMTsuR
kl6TwxYFeoBsW7v27vMHAxrOeZficdVfD9iH2nWfPC1yJ89NOv9gSD/kxo4Mf8Ls
Oj4c1zgNKJlksggO6/b/Vn4E6wDEuO1aoPz83cxDV4oRgKXH/0IEg0rM6qurBDMT
ZZ0uYIvu3BTDLc7rbVx7+byhu6lxcpCXAWbok7leuWqU/OW6eLKeWOq9N2qDcrIc
5uQP5sKCyTkQRpEyPA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com
issuer=/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz
Root CA
---
No client certificate CA names sent
---
SSL handshake has read 4031 bytes and written 408 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: C5FADB72C74AA2D8B2E20951D6417DF6DF13CEC026A4B070D985C9DCB27EA9BD
Session-ID-ctx:
Master-Key:
639DBACD753E80836F612AB2F8DD8C234C5A2F9507D63941F113D2D22AFE174E5690C4820AA9A940D9B492E72BFA75A7
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 15 56 e4 83 50 ce 74 d3-20 5a 96 c2 8d 3f cf 80 .V..P.t. Z...?..
0010 - 4f 36 c3 53 31 72 53 b9-8c 64 8e 7b 6d 74 1a 7c O6.S1rS..d.{mt.|
0020 - 74 58 51 f5 dc ef 6f 2e-97 55 3d e5 13 fe e1 50 tXQ...o..U=....P
0030 - ce c2 ee e8 ab 56 0f c3-46 b2 55 15 1a 44 10 2e .....V..F.U..D..
0040 - e0 7d 18 53 00 0f 29 6c-4b d4 04 d3 bf c6 c6 fd .}.S..)lK.......
0050 - 5d 3e 49 e3 82 20 a2 4f-b1 92 a2 1c c3 e4 97 f4 ]>I.. .O........
0060 - 29 a4 1b e6 1b f1 cc 2a-37 88 51 ec 14 2a f5 c7 )......*7.Q..*..
0070 - c6 19 cd 28 e7 b3 a2 b1-f5 e9 ac 0b 48 28 e7 68 ...(........H(.h
0080 - bd 93 86 1d 01 ce 44 c6-7d 52 d0 da 8e 8e fc 5e ......D.}R.....^
0090 - 52 ec 35 d1 8e 31 bc c1-6f 55 e9 2c bf 13 b7 1f R.5..1..oU.,....
00a0 - aa 53 aa 9c 97 bb ce 1a-89 e9 30 4a cc 7d 23 d7 .S........0J.}#.
00b0 - 51 80 54 86 67 47 a5 ce-50 2b 12 11 72 4c 1a 40 Q.T.gG..P+..rL.@
Start Time: 1352831126
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; lang="en" xml:lang="en">
<head>
<title>Object not found!</title>
<link rev="made" href="mailto:[email protected]"; />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>
<body>
<h1>Object not found!</h1>
<p>
The requested URL was not found on this server.
If you entered the URL manually please check your
spelling and try again.
</p>
<p>
If you think this is a server error, please contact
the <a href="mailto:[email protected]";>webmaster</a>.
</p>
<h2>Error 404</h2>
<address>
<a href="/">www.pawnmasterpro.com</a><br />
<span>11/13/12 13:26:18<br />
Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4
Perl/v5.10.1</span>
</address>
</body>
</html>
closed
