To find problems in the trusted certificate chain, use 'openssl
s_client -connect host:port -showcerts' and then verify each
certificate. (Note: if your server certificate was issued from a
sub-CA rather than directly from a root, you must also ensure that you
call SSL_CTX_add_extra_chain_cert(3ss
We diagnosed the problem. Our keystore is missing the private key.
Java code to export the private key failes. Even IBM keyman shows only
certificates. It is not as if somebody can delete the private key from
the keystore ?
Mohan
On Sat, Dec 5, 2009 at 6:28 AM, Dave Thompson
wrote:
>> From: owne
> From: owner-openssl-us...@openssl.org On Behalf Of Mohan Radhakrishnan
> Sent: Friday, 04 December, 2009 05:54
>
> We see this message "no available certificates or key
> corresponding to the cipher suites" even before establishing a
> handshake. It is a mutual handshake. So keystores and
"No available certificates or key corresponding to the cipher suites"
may also be associated with not calling
SSL_CTX_use_RSAPrivatekey[_*](3ssl), or the private key not matching
the public key in the certificate. use_certificate first, then
use_RSA_Privatekey.
And don't forget to call SSL_CTX_ch
Possibly not. I meant that there could be 3 problems
1. Algorithm mismatch
2. Certificate imported in an incorrect keystore.
3. No trusted certificate chain.
Trying to home in on one of the problems.
Thanks,
Mohan
On Fri, Dec 4, 2009 at 4:24 PM, Mohan Radhakrishnan
wrote:
> Hi,
>
> We see
Hi Rajat:
On Tuesday 29 January 2008 01:46:39 [EMAIL PROTECTED] wrote:
> Hi All,
>
> ./openssl s_client -connect 192.168.32.164:32001 -no_ssl2 -cipher
> DHE-DSS-AES256-SHA -state
>
> CONNECTED(0004)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL
Frédéric Donnat wrote:
> be carefull with some typo error.
>
> My openssl 0.9.7e does not accept this "RSA-AES256",
It does NOT? Strange.
> but accept "RSA:AES256".
Sure, as this specifies two cipher preferences, "RSA" or "AES256"...
> Things are the same with last openssl 0.9.7i.
I'll take i
pher: AES256-SHA
...
Things are the same with last openssl 0.9.7i.
Fred
-Original Message-
From: Daniel Tiefnig [mailto:[EMAIL PROTECTED]
Sent: Wed 11/30/2005 6:24 PM
To: openssl-users@openssl.org
Cc:
Subject:Re: cipher suite names in 0.9.8
Frédéric Donnat wrote:
> I
Frédéric Donnat wrote:
> I think you made an error:
> - RSA with AES and SHA is: AES256-SHA
Hmm, I allready thougth that "RSA-AES256" may not be valid. So this is a
bug in openssl 0.9.7e, as it does accept "RSA-AES256" as a cipher selection?
> Hope it could help,
Thanks for your response.
lg,
Hi,
I think you made an error:
- RSA with AES and SHA is: AES256-SHA
Just have a look at openssl ciphers -v ouput.
[EMAIL PROTECTED] gcb]$ LD_LIBRARY_PATH=/usr/local/ossl-0.9.8/lib
/usr/local/ossl-0.9.8/bin/openssl ciphers -v | grep AES
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=
On Thu, Feb 08, 2001 at 02:16:53PM -0800, Patrick Li wrote:
> I am implementing a SSL client. Is SSL_set_cipher_list() the only function
> call that I can use to specify the cipher suites supported by the SSL
> client? Let say I want to disable all the non-exportable cipher suites at
> my clien
Patrick Li wrote:
>
> Hi,
>
> I am trying to match the cipher suite supported by OpenSSL (listed out by
> the command openssl ciphers -tlsv1) to the cipher suite specified in the TLS
> Protocol version 1 IETF RFC 2246. But they seemed to be using different
> naming conventions. The cipher sui
Jeffrey Ricks <[EMAIL PROTECTED]> writes:
> If I run (note that I'm using the same certs/keys as above):
>
> openssl s_client -connect voodoo:443 -cert /tmp/s_client2.crt -key
> /tmp/s_client2.key -CAfile /tmp/s_clientCA.crt -tls1 -cipher
> DES-CBC3-SHA -state
>
> with client authentication off
On Wed, Dec 06, 2000 at 01:13:32PM -0800, Jeffrey Ricks wrote:
> openssl s_client -connect voodoo:443 -cert /tmp/s_client2.crt -key
> /tmp/s_client2.key -CAfile /tmp/s_clientCA.crt -tls1 -cipher
> DES-CBC3-SHA -state
> with client authentication off at the server, it works fine. If I turn
> cli
Lutz,
I grabbed ssldump and captured some output. Unfortunately, it doesn't
look like it has uncovered any secrets.
This is where I am now:
If I run:
openssl s_client -connect voodoo:443 -cert /tmp/s_client2.crt -key
/tmp/s_client2.key -CAfile /tmp/s_clientCA.crt -tls1 -cipher
EDH-RSA-DES-CBC
Lutz,
Thanks for the quick response... I tried the same test you ran and it
worked. However, I'm inclined to think that it might be something in
OpenSSL on the client side. In it's current configuration, the server
handles DES-CBC3-SHA requests from my java client perfectly, so I don't
think it
On Mon, Dec 04, 2000 at 04:34:52PM -0800, Jeffrey Ricks wrote:
> GET /servlets/TestServlet HTTP/1.0 (I type this)
>
> SSL_connect:SSL renegotiate ciphers
> SSL_connect:SSLv3 write client hello A
> SSL_connect:SSLv3 read server hello A
> SSL_connect:SSLv3 read server certificate A
> SSL3 alert wri
On Mon, Dec 04, 2000 at 04:34:52PM -0800, Jeffrey Ricks wrote:
[...]
> If I use my java client with the DES-CBC3-SHA cipher, everything works
> fine. It's when I use that cipher with any openssl-based apps
> (including s_client) that things don't work. If I run this:
>
> openssl s_client -conn
18 matches
Mail list logo
