SSL verification failure for Trusted Certificates

554 views
Skip to first unread message

Rajesh M

unread,
Nov 16, 2016, 7:44:39 AM11/16/16
to Repo and Gerrit Discussion
Hi,

We have a Gerrit node with Trusted SSL certificates. Certificates are showing as "Secure and Trusted" in all browsers.
Also, able to verify the certificates in all RHEL 7.x platforms. But, the verification is failing in RHEL 5.x and RHEL 6.x platforms.

We have followed the procedures from https://gist.github.com/stefanozanella/4124338 to create the keystore.

Have created the certificate chain with trustedr crt, intermediate CA bundle.

[root@myhostrh7 ~]$ openssl s_client -host gerrit.xxxx.com -port 443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2008 VeriSign, Inc. - For authorized use only", CN = VeriSign Universal Root Certification Authority
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server SHA256 SSL CA
verify return:1
depth=0 C = FI, ST = xxxxxx, L = xxxxx, O = xxxxxxx, OU = xxxxxx, OU = For Intranet Use Only, CN = xxxxxx
verify return:1
---
Certificate chain
 0 s:/C=FI/ST=xxxxxx/L=xxxxx/O=xxxxxxxxxxxxxx/OU=xxxxxxxxxx/OU=For Intranet Use Only/CN=xxxxxxxx
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server SHA256 SSL CA
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server SHA256 SSL CA
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, Inc. - For authorized use only/CN=VeriSign Universal Root Certification Authority
---
.......
....
..

[root@myhostrh6 ~]# openssl s_client -host gerrit.xxxx.com -port 443 -showcerts
CONNECTED(00000003)
140067870332744:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 309 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

[root@myhostrh5 ~]$ openssl s_client -host gerrit.xxxx.com -port 443 -showcerts
CONNECTED(00000003)
7893:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

Could you help if any solutions to fix this verification problem.

Thanks and Regards,
Rajesh M

Reply all
Reply to author
Forward
0 new messages