all certs in chain validate, get "tlsv1 alert unknown ca"
Paul Hart
I'm running into an issue (with both 0.9.7l and 0.9.8g) where I'm
attempting to connect to a server with a client certificate and what
appears to be a complete chain of server certificates, and yet I'm
still getting the 'unknown ca' error.
My command line is:
openssl s_client \
-connect [HOST]:443 \
-CAfile server_chain.pem \
-cert client_keypair.pem \
-key client_keypair.pem
The output I see is (from 0.9.8g on Ubuntu, and I've redacted the
company name):
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify return:1
depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign
International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
verify return:1
depth=0 /C=US/ST=Indiana/L=Carmel/O=[COMPANY NAME]./OU=MMI/CN=[HOST]
verify return:1
4645:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1053:SSL alert number 48
4645:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
To my (admittedly noob-ish) eyes, it appears that everything in the
chain has been validated successfully. If I remove the -CAfile
parameter, I get the following output (again 0.9.8g on Ubuntu):
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
4661:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1053:SSL alert number 48
4661:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
Similar errors occur in 0.9.7l on MacOSX 10.5.6, but with different
line numbers in the source files.
Is there something I'm doing wrong here?
Many thanks,
Paul
Paul Hart
I'm running into an issue (with both 0.9.7l and 0.9.8g) where I'm
attempting to connect to a server with a client certificate and what
appears to be a complete chain of server certificates, and yet I'm
still getting the 'unknown ca' error.
My command line is:
openssl s_client \
=A0-connect [HOST]:443 \
=A0-CAfile server_chain.pem \
=A0-cert client_keypair.pem \
=A0-key client_keypair.pem
The output I see is (from 0.9.8g on Ubuntu, and I've redacted the
company details):
CONNECTED(00000003)
depth=3D2 /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certificat=
ion Authority
verify return:1
depth=3D1 /O=3DVeriSign Trust Network/OU=3DVeriSign, Inc./OU=3DVeriSign
International Server CA - Class 3/OU=3Dwww.verisign.com/CPS Incorp.by
Ref. LIABILITY LTD.(c)97 VeriSign
verify return:1
depth=3D0 /C=3D[HOST]/ST=3D[HOST]/L=3D[HOST]/O=3D[COMPANY NAME]./OU=3D[HOST=
]/CN=3D[HOST]
verify return:1
4645:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1053:SSL alert number 48
4645:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
To my (admittedly noob-ish) eyes, it appears that everything in the
chain has been validated successfully. If I remove the -CAfile
parameter, I get the following output (again 0.9.8g on Ubuntu):
CONNECTED(00000003)
depth=3D2 /C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certificat=
ion Authority
verify error:num=3D19:self signed certificate in certificate chain
verify return:0
4661:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1053:SSL alert number 48
4661:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
The above makes a little more sense to me, as the CA certificate isn't
(I guess) in the default set shipped with the OS. Similar errors occur
in 0.9.7l on MacOSX 10.5.6, but with different line numbers in the
source files.
Is there something I'm doing wrong here?
Many thanks,
Paul
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Victor Duchovni
> Hi,
>
> I'm running into an issue (with both 0.9.7l and 0.9.8g) where I'm
> attempting to connect to a server with a client certificate and what
> appears to be a complete chain of server certificates, and yet I'm
> still getting the 'unknown ca' error.
>
> My command line is:
>
> openssl s_client \
> ?-connect [HOST]:443 \
> ?-CAfile server_chain.pem \
> ?-cert client_keypair.pem \
> ?-key client_keypair.pem
Don't put your trust chain the CAfile, that's for validating server certs,
rather make sure you client_keypair.pem file also contains additional
CA certs as required, first the client cert, then the itermediate CA
that signed it, ... up to the root CA cert which is optional.
> To my (admittedly noob-ish) eyes, it appears that everything in the
> chain has been validated successfully. If I remove the -CAfile
> parameter, I get the following output (again 0.9.8g on Ubuntu):
You are happy with the server cert, but the server is not happy with your
(client) cert.
--
Viktor.
chall...@gmail.com
I am also getting same issue when i am calling mobile firefox using kamailio configuration.
My kamailio server logs are
Mar 1 09:17:03 FSTSIPQA /usr/local/kamailio-5.2/sbin/kamailio[12332]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS read:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Mar 1 09:17:03 FSTSIPQA /usr/local/kamailio-5.2/sbin/kamailio[12332]: ERROR: <core> [core/tcp_read.c:1319]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd7d75fb070 r: 0x7fd7d75fb0f0
Mar 1 09:17:03 FSTSIPQA /usr/local/kamailio-5.2/sbin/kamailio[12329]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS read:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Mar 1 09:17:03 FSTSIPQA /usr/local/kamailio-5.2/sbin/kamailio[12329]: ERROR: <core> [core/tcp_read.c:1319]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd7d75ec970 r: 0x7fd7d75ec9f0
If you have any solution on this please replay on this
Thanks,
Ravikanth
