> From: owner-openssl-us...@openssl.org On Behalf Of Kyle Hamilton > Sent: Thursday, August 07, 2014 16:48
> Your client is saying that it's failing the certificate verification of > the server certificate. It's probably not using the CAfile that you > passed to openssl s_client. > > -Kyle H > > On 8/5/2014 12:19 PM, Ted Byers wrote: > > I have Perl code, which uses a library that in turn uses openssl for > > HTTPS connections. I have been trying to use Wireshark to diagnose > > this, but I have yet to find a way to have it tell me what steps in > > the SSL handshaking are happening at a given time (client hello, > > server hello, &c.). Thus, I am having trouble seeing whether the > > problem is in my client not doing something right or the server not > > doing something right. I have not yet figured out how to have it > > export everything in a capture file in plain text so that I could > > copy/paste it in a note like this so you could see for yourself what > > is happening. > > About Wireshark: first make sure you have only the desired packets displayed: filter the display unless you previously filtered the capture or you were (very) lucky and nothing else happened during the capture. For everything, which is a lot (usually too much), File / Print plainText toFile (and specify filename), range: Allpackets Displayed, format: summary on, details on all expanded, bytes off. For just which handshake steps have occurred, same except details off. > > I did get openssl s_client to connect properly, and here is the output > > from that (sanitized of the server operator's ID): > > > > ted@linux-jp04:~/Work/Projects/FirstData> openssl s_client -CAfile > > server-test.pem -cert client_test.pem -key client_test.key -connect > > n.n.n.n:8443 <snip except> > > Server certificate > > -----BEGIN CERTIFICATE----- > > DELETED > > -----END CERTIFICATE----- > > subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com > > Now, here is the output I get from my Perl client (also sanitized): > > > > $url = https://n.n.n.n:8443/ > > $scheme = https > > $self->{ssl_set} = 0 > > $self->{ca_cert_dir} = . > > $self->{ca_cert_file} = server-test.pem > > $LWP::VERSION = 6.05 > > Setting cert dir and file if available > > $self->{ssl_set} = 1 Are you setting the client key&cert/chain? This doesn't indicate it. The s_client command did provide them, and the server did request a client cert; if the server *requires* client cert and client doesn't provide one, the server will normally reject the connection. > > DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 26349088 > > DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected > > DEBUG: .../IO/Socket/SSL.pm:528: socket connected > > DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started > > DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is > unknown > > DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce > > timeout=180 > > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > > DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress > > DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL > > wants a read first This appears to be sent CHello, nonblocking expect SHello,Cert...SDone > > DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect > > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > > DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress > > DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL > > wants a read first > > DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect > > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > > DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress > > DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL > > wants a read first These two look like partial reads therefore expecting more > > DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect > > DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26317968 > > DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=26323136 Those look like verify-callback; verify of the cert looks okay. > > DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=26323136 > > DEBUG: .../IO/Socket/SSL.pm:1549: identity=n.n.n.n > > cn=lv-rtps-proxy-test.ne.1dc.com alt= Those look like "hostname" check, which openssl doesn't do yet (1.0.2 will) but your perl library probably adds. If you used an IP form URL as indicated above https://a.b.c.d:8443/ and the cert has only domainname as is common and indicated here, then this should fail. It is requirement of HTTPS (and some other *S protocols but not SSL/TLS by itself) that the "authority" field in the URL matches *a* name in the cert. That doesn't necessarliy mean only one name; the/a cert name can be a wildcard that matches multiple hostnames but yours isn't; there can be multiple names in the cert using Subject Alternative Names, but I take "alt=" here to mean yours doesn't. > > DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 > > DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed > > > > DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt > > failed error:14090086:SSL > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed And it looks like it did fail at SCert stage.. > > DEBUG: .../IO/Socket/SSL.pm:2537: free ctx 26349088 open=26349088 > > DEBUG: .../IO/Socket/SSL.pm:2542: free ctx 26349088 callback > > DEBUG: .../IO/Socket/SSL.pm:2549: OK free ctx 26349088 > > 2014/08/05 10:03:05> [http client] communication error: 500 Can't > > connect to n.n.n.n:8443 (certificate verify failed) > > 500 Can't connect to n.n.n.n:8443 (certificate verify failed) > > ted@linux-jp04:~/Work/Projects/FirstData> > > > > > > The error "SSL routines:SSL3_GET_SERVER_CERTIFICATE" seems self > > explanatory, but what I can't figure out is why communication happens > > properly when I use openssl s_client, with the CA authority cert and > > the client side cert and key, but I can't successfully get the server > > cert, even though my perl code provides the same information, > > ultimately to openssl library code. > > commandline s_client does not check hostname at all; it can be used for protocols which don't even use hostnames, unlike HTTPS. > > I can post my Perl code, if there is someone in this forum who knows > > Perl, and especially the libraries used to handle HTTPS communications > > (and how to get better debugging information from them - I have > > IO::SOCKET::SSL DEBUG variable set to 3, which is the highest debug > > level available, providing the most information, available, according > > to the docs). > > > > I would appreciate advice on the best way of using Wireshark to > > provide useful, actionable information; or advice on how to provide > > the Wireshark logs to you in a way that is useful to you in helping me > > debug this. I have the CA root cert, used to sign both the server's > > cert and the client cert, and obviously, I have both the client's key > > and cert, if any of these files can be used to help Wireshark provide > > more useful information; but I have no idea how to tell Wireshark to > > use them, if in fact using them would be useful (I started working > > with Wireshark this past Friday). > > > > Thanks > > > > Ted > > > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
