Did you successfully load the root cert into the SERVER truststore?
The requirements are not quite symmetric: Almost always (except for anon and non-PK): server MUST set privatekey and matching cert, and preferably any chain cert(s) (you have none) client MUST set truststore containing root FOR SERVER, and any chain cert(s) server does NOT send For client auth: client MUST set privatekey and matching cert, and preferably any chain cert(s) (you have none) server MUST set truststore containing root FOR CLIENT, and any chain cert(s) client does NOT send server MAY set client-ca-list Note that setting client-ca-list does not set truststore, and setting truststore does not set client-ca-list. Although they usually should be the same (you should request the certs you will trust) they are separate. s_server partially conceals this because it uses -CAfile both to load truststore and to set client-ca-list. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Marco Bambini Sent: Sunday, July 27, 2014 13:33 To: openssl-users@openssl.org Subject: Re: Adding client peer verification to my server Hello, thanks to your help I made some progresses (I also removed the intermediate CA file). Using the command line: openssl s_client -connect localhost:4430 -cert /Users/test/client.pem -state <snip> 4722:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s3_pkt.c:1106:SSL alert number 48 4722:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_lib.c:182: so it seems that the real error is "unknown CA". Please note that on server side I successfully call: list = SSL_load_client_CA_file(root_certificate); if (list != NULL) SSL_CTX_set_client_CA_list(CTX, list); In my opinion the real issue is the way certificate files are generated starting from root CA certificates. Here you go the up to date command line I use to generate root.pem, server.pem, client.pem: <snip>
