SSL_ACCEPT...!!! failure - Openssl

This is a discussion on SSL_ACCEPT...!!! failure - Openssl ; hi, i am stuck with the error "Unable to get local issuer certificate" and then "SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return". I have created my own certificates using Openssl.exe . I have created CACert.pem which is self signed CA certificate and ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: SSL_ACCEPT...!!! failure

  1. SSL_ACCEPT...!!! failure

    hi,

    i am stuck with the error "Unable to get local issuer certificate" and then
    "SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return".

    I have created my own certificates using Openssl.exe . I have created
    CACert.pem which is self signed CA certificate and then two other
    certificates one is ClientCert.pem and other is ServerCert.pem which are
    signed from the CACert.pem.

    I have created OpenSSL server and other side a client supporting Other type
    of library(XySSL). There is no problem at client side.
    Certificate loading got success but verification fails with the above
    written error message.

    i am using ssl_ctx and its API's for certificate loading and a callback
    function for verification using SSL_ctx_set_verify(ctx, MODE>, callback function)

    Is something i doing wrong ...???
    or anything more required..???

    please help..

    Thanks and regards,




    --
    regards,
    Vineeta Kumari
    Software engg
    Mobera Systems
    Chandigarh


  2. Re: SSL_ACCEPT...!!! failure

    Hi vinni,

    As a hint i will reformulate how i understand your problem

    The server cannot accept the client certificate because it cannot check
    that the certificate have been issued by a trusted CA.

    This arise because the CA certificate is not available so the questios are
    1) Is the CA certificate available to your program
    2) If it is available, why the program does not use it

    I hope this help

    Dominique


    vinni rathore a écrit :
    >
    > hi,
    >
    > i am stuck with the error "Unable to get local issuer certificate" and
    > then "SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return".
    >
    > I have created my own certificates using Openssl.exe . I have created
    > CACert.pem which is self signed CA certificate and then two other
    > certificates one is ClientCert.pem and other is ServerCert.pem which
    > are signed from the CACert.pem.
    >
    > I have created OpenSSL server and other side a client supporting Other
    > type of library(XySSL). There is no problem at client side.
    > Certificate loading got success but verification fails with the above
    > written error message.
    >
    > i am using ssl_ctx and its API's for certificate loading and a
    > callback function for verification using SSL_ctx_set_verify(ctx,
    > , callback function)
    >
    > Is something i doing wrong ...???
    > or anything more required..???
    >
    > please help..
    >
    > Thanks and regards,
    >
    >
    >
    >
    > --
    > regards,
    > Vineeta Kumari
    > Software engg
    > Mobera Systems
    > Chandigarh



    --
    Dr Dominique LOHEZ
    ISEN
    41, Bd Vauban
    F59046 LILLE
    France

    Phone : +33 (0)3 20 30 40 71
    Email: Dominique.Lohez@isen.fr

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  3. RE: SSL_ACCEPT...!!! failure




    vinni rathore a écrit :
    >
    > hi,
    >
    > i am stuck with the error "Unable to get local issuer certificate" and
    > then "SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return".
    >
    > I have created my own certificates using Openssl.exe . I have created
    > CACert.pem which is self signed CA certificate and then two other
    > certificates one is ClientCert.pem and other is ServerCert.pem which
    > are signed from the CACert.pem.
    >
    > I have created OpenSSL server and other side a client supporting Other
    > type of library(XySSL). There is no problem at client side.
    > Certificate loading got success but verification fails with the above
    > written error message.
    >


    For some reason, the CA cert is not readable by the client.
    This looks like a coding error. Unless you give a minimal code snippet that
    has this problem, it
    would be difficult to answer. Have you used the function that set the verify
    certificate?

    > i am using ssl_ctx and its API's for certificate loading and a
    > callback function for verification using SSL_ctx_set_verify(ctx,
    > , callback function)
    >
    > Is something i doing wrong ...???
    > or anything more required..???


    Minimal working code snippet.

    >
    > please help..
    >
    > Thanks and regards,
    >
    >



    DISCLAIMER
    ==========
    This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  4. RE: SSL_ACCEPT...!!! failure


    Hello
    i am using SSL_CTX_load_verify_locations() to load the CA certs.
    I have another question that ..
    How actually the SSL_accept get the client certificate ?? Is its internal
    function also fetch the
    CA certificate of the client or it check the CA list of its own that is set
    by the above function??
    Also is it necessary to have same name of CN and CA certificate. As when got
    the error it shows the details of my client cert with issuer and subject.
    In issuer it displays all the details whatever i filled during creation...
    along with CN name of the CA.

    Help me out... :-((


    Ambarish Mitra wrote:
    >
    >
    >
    >
    > vinni rathore a écrit :
    >>
    >> hi,
    >>
    >> i am stuck with the error "Unable to get local issuer certificate" and
    >> then "SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return".
    >>
    >> I have created my own certificates using Openssl.exe . I have created
    >> CACert.pem which is self signed CA certificate and then two other
    >> certificates one is ClientCert.pem and other is ServerCert.pem which
    >> are signed from the CACert.pem.
    >>
    >> I have created OpenSSL server and other side a client supporting Other
    >> type of library(XySSL). There is no problem at client side.
    >> Certificate loading got success but verification fails with the above
    >> written error message.
    >>

    >
    > For some reason, the CA cert is not readable by the client.
    > This looks like a coding error. Unless you give a minimal code snippet
    > that
    > has this problem, it
    > would be difficult to answer. Have you used the function that set the
    > verify
    > certificate?
    >
    >> i am using ssl_ctx and its API's for certificate loading and a
    >> callback function for verification using SSL_ctx_set_verify(ctx,
    >> , callback function)
    >>
    >> Is something i doing wrong ...???
    >> or anything more required..???

    >
    > Minimal working code snippet.
    >
    >>
    >> please help..
    >>
    >> Thanks and regards,
    >>
    >>

    >
    >
    > DISCLAIMER
    > ==========
    > This e-mail may contain privileged and confidential information which is
    > the property of Persistent Systems Ltd. It is intended only for the use of
    > the individual or entity to which it is addressed. If you are not the
    > intended recipient, you are not authorized to read, retain, copy, print,
    > distribute or use this message. If you have received this communication in
    > error, please notify the sender and delete all copies of this message.
    > Persistent Systems Ltd. does not accept any liability for virus infected
    > mails.
    > __________________________________________________ ____________________
    > OpenSSL Project http://www.openssl.org
    > User Support Mailing List openssl-users@openssl.org
    > Automated List Manager majordomo@openssl.org
    >
    >


    --
    View this message in context: http://www.nabble.com/SSL_ACCEPT...%...p17553780.html
    Sent from the OpenSSL - User mailing list archive at Nabble.com.

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  5. Re: SSL_ACCEPT...!!! failure

    Vinni a écrit :
    > Hello
    > i am using SSL_CTX_load_verify_locations() to load the CA certs.
    > I have another question that ..
    > How actually the SSL_accept get the client certificate ?? Is its internal
    > function also fetch the
    > CA certificate of the client or it check the CA list of its own that isset
    >

    The program must check that the issuer of the client certificate is a
    trusted CA
    This is achieved by verifying that the
    the signature of the certificate is conform to the information of the
    CA certificate
    the above function??
    > Also is it necessary to have same name of CN and CA certificate. As when got
    > the error it shows the details of my client cert with issuer and subject.
    > In issuer it displays all the details whatever i filled during creation....
    > along with CN name of the CA.
    >
    > Help me out... :-((
    >
    >
    > Ambarish Mitra wrote:
    >
    >>
    >>
    >> vinni rathore a écrit :
    >>
    >>> hi,
    >>>
    >>> i am stuck with the error "Unable to get local issuer certificate" and
    >>> then "SSL3_GET_CLIENT_CERTIFICATE: peer certificate not return".
    >>>
    >>> I have created my own certificates using Openssl.exe . I have created
    >>> CACert.pem which is self signed CA certificate and then two other
    >>> certificates one is ClientCert.pem and other is ServerCert.pem which
    >>> are signed from the CACert.pem.
    >>>
    >>> I have created OpenSSL server and other side a client supporting Other
    >>> type of library(XySSL). There is no problem at client side.
    >>> Certificate loading got success but verification fails with the above
    >>> written error message.
    >>>
    >>>

    >> For some reason, the CA cert is not readable by the client.
    >> This looks like a coding error. Unless you give a minimal code snippet
    >> that
    >> has this problem, it
    >> would be difficult to answer. Have you used the function that set the
    >> verify
    >> certificate?
    >>
    >>
    >>> i am using ssl_ctx and its API's for certificate loading and a
    >>> callback function for verification using SSL_ctx_set_verify(ctx,
    >>> , callback function)
    >>>
    >>> Is something i doing wrong ...???
    >>> or anything more required..???
    >>>

    >> Minimal working code snippet.
    >>
    >>
    >>> please help..
    >>>
    >>> Thanks and regards,
    >>>
    >>>
    >>>

    >> DISCLAIMER
    >> ==========
    >> This e-mail may contain privileged and confidential information which is
    >> the property of Persistent Systems Ltd. It is intended only for the use of
    >> the individual or entity to which it is addressed. If you are not the
    >> intended recipient, you are not authorized to read, retain, copy, print,
    >> distribute or use this message. If you have received this communication in
    >> error, please notify the sender and delete all copies of this message.
    >> Persistent Systems Ltd. does not accept any liability for virus infected
    >> mails.
    >> __________________________________________________ ____________________
    >> OpenSSL Project http://www.openssl.org
    >> User Support Mailing List openssl-users@openssl.org
    >> Automated List Manager majordomo@openssl.org
    >>
    >>
    >>

    >
    >



    --
    Dr Dominique LOHEZ
    ISEN
    41, Bd Vauban
    F59046 LILLE
    France

    Phone : +33 (0)3 20 30 40 71
    Email: Dominique.Lohez@isen.fr

    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread