[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS client certificate problem



On Sat, 16 Sep 2000, Kurt D. Zeilenga wrote:
> What does "openssl s_client" say?

$ openssl s_client -host localhost -port 636 -cert ~/certs/michael.pem -key ~/private/michael.key -CAfile/opt/ssl/certs/newearthCA.pem

CONNECTED(00000003)
depth=1 /C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth Swedenborgian BBS/OU=Certification Authority/CN=NewEarth CA/Email=ca@newearth.org
verify return:1
depth=0 /C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth Swedenborgian BBS/OU=Online Services/CN=*.newearth.org/Email=www@newearth.orgverify
return:1
---
Certificate chain
 0 s:/C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth
Swedenborgian BBS/OU=Online
Services/CN=*.newearth.org/Email=www@newearth.org
   i:/C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth
Swedenborgian BBS/OU=Certification Authority/CN=NewEarth
CA/Email=ca@newearth.org
 1 s:/C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth
Swedenborgian BBS/OU=Certification Authority/CN=NewEarth
CA/Email=ca@newearth.org
-----BEGIN CERTIFICATE-----
[cert was here]
-----END CERTIFICATE-----
subject=/C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth Swedenborgian BBS/OU=Online Services/CN=*.newearth.org/Email=www@newearth.org
issuer=/C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth Swedenborgian BBS/OU=Certification Authority/CN=NewEarth CA/Email=ca@newearth.org
---
Acceptable client certificate CA names /C=US/ST=Pennsylvania/L=Bryn Athyn/O=NewEarth Swedenborgian BBS/OU=Certification Authority/CN=NewEarth CA/Email=ca@newearth.org
---
SSL handshake has read 2442 bytes and written 2562 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA

Session-ID: 637AC486646FF9B7F599D8DEB895A70DC937256AE1268F63151541B3A42FAD5C
    Session-ID-ctx:

Master-Key: 96AAEC6D697B7FB2F32CEB52C080CCB7FFE6DA6DDB4E499A70115CD267403F61F621F429A73FBD515C8531A280D94212
    Key-Arg   : None
    Start Time: 969238405
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

On Sat, 16 Sep 2000, Kurt D. Zeilenga wrote:
> At 02:59 PM 9/15/00 -0400, Michael David wrote:
> >I'm running openldap 2.0.3 under linux. The clients include
> >netscape messenger on the same linux box, and netscape and
> >outlook express under windows 2k.
> 
> I've been using Netscape 4.75 ldaps:// support without problems.
> 
> >All have been working and continue to work using plaintext
> >ldap on port 389. Under a previous version of openldap
> >(2.0.0), ldaps (tls) connection on port 636 also worked for
> >all these clients. Now, under 2.0.3, seaching for a name
> >from the OE address book, I see these debug messages;
> >
> >TLS trace: SSL_accept:SSLv3 write certificate A
> >TLS trace: SSL_accept:SSLv3 write server done A
> >tls_write: want=9, written=9
> >        16 03 01 00 04 0e 00 00 00
> >TLS trace: SSL_accept:SSLv3 flush data
> >tls_read: want=5 error=Resource temporarily unavailable
> >TLS trace: SSL_accept:error in SSLv3 read client certificate A
> >TLS trace: SSL_accept:error in SSLv3 read client certificate A
> >daemon: select: listen=6 active_threads=0 tvp=NULL
> >daemon: select: listen=7 active_threads=0 tvp=NULL
> >
> >and OE reports that it can't connect.
> >
> >The results are the same whether or not OE has a client
> >certificate. The other clients produce the same results.
> >
> >If anyone finds this informative, I'd be interested in
> >learning what has stopped working.
> 
> What does "openssl s_client" say?
> 

-- 
Michael V. David - MVD53 - michael@newearth.org - mvd@netaxs.com
WEB: http://www.netaxs.com/~mvd/mvd - http://www.newearth.org/~michael
IRC: irc.newearth.org#newearth - AIM: newearth7 - GPS: 40 07 53 N, 75 04 04 W
Quidquid latine dicitur, altum viditur.