If you have the server's key and certificate, the command will be smth like
openssl s_server -key key -cert cert -CAfile file_with_ca -verify_return_error file_with_ca should contain a concatenation of the certs of the CAs that should issue the client's certificate. if you don't have the server keypair, try to understand smth from the command openssl s_client -connect host:port -cert clicert -key clikey. At least you'll hopefully see the list of allowed client certificate issuers. Please read the manuals of s_client/s_server apps for more details. On Fri, Feb 7, 2020 at 11:18 PM Bashin, Vladimir <vbas...@empirix.com> wrote: > Thanks Dmitry! > > Do I need the server certificate in order to run those commands? > > Also , could you please point me to the exact commands that I’d need to > execute in order to reproduce the tls handshake ? > > > > Regards, > > VB > > > > *From:* Dmitry Belyavsky <beld...@gmail.com> > *Sent:* Friday, February 7, 2020 3:07 PM > *To:* Bashin, Vladimir <vbas...@empirix.com> > *Cc:* openssl-users@openssl.org > *Subject:* Re: TLS 1.2 handshake issue (Server Certificate request) > > > > Hello Vladimir, > > > > It's worth trying to reproduce the situation using openssl > s_client/s_server command-line apps. > > > > On Fri, Feb 7, 2020 at 9:25 PM Bashin, Vladimir <vbas...@empirix.com> > wrote: > > Hello, OpenSSL experts ! > > > > We need your help in better understanding a below behavior - > > > > We are experiencing issue during the initial TLS handshake : > > We have the customer-issued TLS certificate that we deploy on our TLS > client system > > The certs have been generated with a CSR that was generated on customer’s > FIPS compliant server > > The CSR was then signed by CA hosted on SMGR > > > > During the endpoint registration with the server we have an endpoint > initiated TLS handshake – during that handshake the TLS server requests the > client Certificate but our TLS client responds with the Certificates Length > 0 that causes the TLS server to respond with the Handshake Failure. > > > > > > The Google search gives some generic ideas on why that might be happening > – something along the following lines - that could be happening in case the > client’s certificate does not match the server certificate – for example, > due to a signing authority mismatch, or due to the encryption cipher type > mismatch, or maybe due to some other factors. > > > > Could you please help us in better understanding this issue – what else > could be wrong or missing in the Server and Client certificates ? > > > > > > > > > > > > > > > > Thanks, > > Vladimir Bashin > > > > > > > -- > > SY, Dmitry Belyavsky > -- SY, Dmitry Belyavsky
