Blackberry 7520 and failed in SSLv3 read client certificate A

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Blackberry 7520 and failed in SSLv3 read client certificate A

David Gianndrea
Im trying to figure out why im unable to make an ssl connection
to one of my servers with a Blackberry 7520. If I use Firefox
or IE I can make the connection with out a problem, but with
the Blackberry it fails with " failed in SSLv3 read client certificate".

At first I thought it was the apache server, so I tried s_server. Got
the same response. If I go to another site that uses ssl like
https://www.hushmail.com it works. So there must be something about
my self signed certs, or a bug??? I have installed the rootca cert
on the Blackberry.

Could anybody give me some pointers on how to trouble shoot this?


OpenSSL 0.9.7f 22 Mar 2005

[root@firewall conf]# openssl s_server -accept 443 -cert
www.gianndrea.com.crt -key www.gianndrea.com.key  -CAfile rootca.crt
-www -state

Using default temp DH parameters
ACCEPT
SSL_accept:before/accept initialization
SSL_accept:SSLv3 read client hello A
SSL_accept:SSLv3 write server hello A
SSL_accept:SSLv3 write certificate A
SSL_accept:SSLv3 write server done A
SSL_accept:SSLv3 flush data
SSL3 alert read:fatal:close notify
SSL_accept:failed in SSLv3 read client certificate A
21640:error:140943E8:SSL
routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1052:SSL alert number 0
21640:error:140780E5:SSL routines:SSL23_READ:ssl handshake
failure:s23_lib.c:180:



-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQD6pjHcDh3Y5F7uljtWF5YjANBgkqhkiG9w0BAQUFADBW
MRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJZ2lhbm5kcmVh
MRUwEwYKCZImiZPyLGQBGRYFbnRnaWExDTALBgNVBAMTBHJvb3QwHhcNMDYwMzE3
MTkxNzA4WhcNMTEwMzE3MTkyNTM4WjBWMRMwEQYKCZImiZPyLGQBGRYDY29tMRkw
FwYKCZImiZPyLGQBGRYJZ2lhbm5kcmVhMRUwEwYKCZImiZPyLGQBGRYFbnRnaWEx
DTALBgNVBAMTBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv
C4nUv6IH9dyDChqn7wh372sWrfQj5m4EuyqXL46H2kxyJo2fvoOp3ei+3QOoGJU1
wmQVjtghzvhmTq4/4mwcdYIFpfYNbPsYi0AmT7oLTiz7s73UFk5JRBieVNFxpQB0
QfhciY+bIYYBdR1wuGmLbSnUpdFyrPN0dXNycxxRnXWIXra4fJSUZiyFEcAuL/k3
KpYnLoftD186ahNFK3Lkr7WwBdz++GvHu70sQMlMrmBCcT11njCcq4NCiNejX4Ym
V2VNS3USKFzd11yj0ZwqfklHftSiTaXdZdFvkAZCEYoyaf8nSf8/e+KXhTsurY4V
DNFnotxDXEVdGGefFpTHAgMBAAGjggFcMIIBWDALBgNVHQ8EBAMCAYYwDwYDVR0T
AQH/BAUwAwEB/zAdBgNVHQ4EFgQUOB7pdo+8+LfVt0Fxj0q++le/0OIwggEFBgNV
HR8Egf0wgfowgfeggfSggfGGgbZsZGFwOi8vL0NOPXJvb3QsQ049Z2lhYXRsMSxD
Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
Q29uZmlndXJhdGlvbixEQz1udGdpYSxEQz1naWFubmRyZWEsREM9Y29tP2NlcnRp
ZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmli
dXRpb25Qb2ludIY2aHR0cDovL2dpYWF0bDEubnRnaWEuZ2lhbm5kcmVhLmNvbS9D
ZXJ0RW5yb2xsL3Jvb3QuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEB
BQUAA4IBAQDRDcOwX4ddK815f/cdrbXgW+TurSHFX1uNq7WWIh8scqXgbf36Re7h
Gvx7dvVfU6QPkoDmaOJR1fTsJIEG3Lb/rDXzKItAPxa6J1Al78RV1SD+pEFKg9WP
Wjr5d738qs7W2rG0M/sBm5K/+8aiAKZmcsjP0217vgLiXpJjzMvviB2k1bOhrJjd
5j3CxIERXM1rNR2QGt5/r6IJ/2dwmc8jB8xRIeM5JeaIlvDgqZnibfOHBBXQHXl1
6SIFqduQ8s+rBmMJ4MCGozffi9Ek32hZFxe5cDonwsq0GRPuzYQsyVOXPU4ScbHF
FB/l2Y+g6nrWn6NrI8pu/QLFZriBcSop
-----END CERTIFICATE-----



-----BEGIN CERTIFICATE-----
MIIFyzCCBLOgAwIBAgIKcB0BjQAAAAAABzANBgkqhkiG9w0BAQUFADBWMRMwEQYK
CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJZ2lhbm5kcmVhMRUwEwYK
CZImiZPyLGQBGRYFbnRnaWExDTALBgNVBAMTBHJvb3QwHhcNMDYwMzIxMTU1ODIw
WhcNMDgwMzIwMTU1ODIwWjCBqzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3Jn
aWExEDAOBgNVBAcTB0F0bGFudGExFjAUBgNVBAoTDUdpYW5uZHJlYS5jb20xHDAa
BgNVBAsTE250Z2lhLmdpYW5uZHJlYS5jb20xGjAYBgNVBAMTEXd3dy5naWFubmRy
ZWEuY29tMSYwJAYJKoZIhvcNAQkBFhd3ZWJtYXN0ZXJAZ2lhbm5kcmVhLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAotBfMzPglOZkeNyrlM8PEEnNbGjW
ZkLVYbB90nlTMbEbTaHEbA2TmtMcFrELPFWCDQTxYgDLDWafOtvEGtUrODcsrclH
JQcEu34FMfIHrXvyMCTwAE2DJFek2GTA7vo3RPvUv2tPaReU+raxsQptQzIPNzS2
lZD/jhak/v/9CQkCAwEAAaOCAscwggLDMB0GA1UdDgQWBBSqqnMOGkvZVvWY8Vc5
7jh35hTINzAfBgNVHSMEGDAWgBQ4Hul2j7z4t9W3QXGPSr76V7/Q4jCCAQUGA1Ud
HwSB/TCB+jCB96CB9KCB8YaBtmxkYXA6Ly8vQ049cm9vdCxDTj1naWFhdGwxLENO
PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPW50Z2lhLERDPWdpYW5uZHJlYSxEQz1jb20/Y2VydGlm
aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
dGlvblBvaW50hjZodHRwOi8vZ2lhYXRsMS5udGdpYS5naWFubmRyZWEuY29tL0Nl
cnRFbnJvbGwvcm9vdC5jcmwwggEjBggrBgEFBQcBAQSCARUwggERMIGuBggrBgEF
BQcwAoaBoWxkYXA6Ly8vQ049cm9vdCxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1udGdpYSxE
Qz1naWFubmRyZWEsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MF4GCCsGAQUFBzAChlJodHRwOi8vZ2lh
YXRsMS5udGdpYS5naWFubmRyZWEuY29tL0NlcnRFbnJvbGwvZ2lhYXRsMS5udGdp
YS5naWFubmRyZWEuY29tX3Jvb3QuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIA
UwBlAHIAdgBlAHIwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAww
CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAOcNZdKAy561wcBhlfzgv1qH
pqvq1MmNp/XPEB5bbGHy1vYEBvQ/yQQdof+oP14pqY4JV5xZ+hoJtTG5BVxqxlD7
dd5HbAxtp50DhPjmAmdlM/Idcm+69pkvkRT/iub1cPK1wjooiXdGWMXWkeGy+17+
AwdKAVfd3Qvv8ImTJ4cMABX7vyNeJ8VLsHm57QMcEr3S4Y9JQWyUNYegkRRgWC+x
ssygrAM85d7igbma9YljGHBj8qlk0X8WLUdow4oVBisS9xmwtzQx6qTDtvnMb/jz
QPlMIH7gT3LrG7BfPAP9v10sxvepwWWlrguSbRiUOlZZznaXPtmGuJ1o/BwDGq0=
-----END CERTIFICATE-----
--
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

2nd Request for help Blackberry 7520 and failed in SSLv3 read client certificate A

David Gianndrea
I'm sure everyone is real busy like me, but if some one could explain
this error im getting, and suggest how I could trouble shoot it more
I would be great full!

Dr. Henson, have you a few minutes to spare a lost admin?


David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.

Email:   [hidden email]
Web:     www.comsquared.com


David Gianndrea wrote:

> Im trying to figure out why im unable to make an ssl connection
> to one of my servers with a Blackberry 7520. If I use Firefox
> or IE I can make the connection with out a problem, but with
> the Blackberry it fails with " failed in SSLv3 read client certificate".
>
> At first I thought it was the apache server, so I tried s_server. Got
> the same response. If I go to another site that uses ssl like
> https://www.hushmail.com it works. So there must be something about
> my self signed certs, or a bug??? I have installed the rootca cert
> on the Blackberry.
>
> Could anybody give me some pointers on how to trouble shoot this?
>
>
> OpenSSL 0.9.7f 22 Mar 2005
>
> [root@firewall conf]# openssl s_server -accept 443 -cert
> www.gianndrea.com.crt -key www.gianndrea.com.key  -CAfile rootca.crt
> -www -state
>
> Using default temp DH parameters
> ACCEPT
> SSL_accept:before/accept initialization
> SSL_accept:SSLv3 read client hello A
> SSL_accept:SSLv3 write server hello A
> SSL_accept:SSLv3 write certificate A
> SSL_accept:SSLv3 write server done A
> SSL_accept:SSLv3 flush data
> SSL3 alert read:fatal:close notify
> SSL_accept:failed in SSLv3 read client certificate A
> 21640:error:140943E8:SSL
> routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1052:SSL alert number 0
> 21640:error:140780E5:SSL routines:SSL23_READ:ssl handshake
> failure:s23_lib.c:180:
>
>
>
> -----BEGIN CERTIFICATE-----
> MIIElDCCA3ygAwIBAgIQD6pjHcDh3Y5F7uljtWF5YjANBgkqhkiG9w0BAQUFADBW
> MRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJZ2lhbm5kcmVh
> MRUwEwYKCZImiZPyLGQBGRYFbnRnaWExDTALBgNVBAMTBHJvb3QwHhcNMDYwMzE3
> MTkxNzA4WhcNMTEwMzE3MTkyNTM4WjBWMRMwEQYKCZImiZPyLGQBGRYDY29tMRkw
> FwYKCZImiZPyLGQBGRYJZ2lhbm5kcmVhMRUwEwYKCZImiZPyLGQBGRYFbnRnaWEx
> DTALBgNVBAMTBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDv
> C4nUv6IH9dyDChqn7wh372sWrfQj5m4EuyqXL46H2kxyJo2fvoOp3ei+3QOoGJU1
> wmQVjtghzvhmTq4/4mwcdYIFpfYNbPsYi0AmT7oLTiz7s73UFk5JRBieVNFxpQB0
> QfhciY+bIYYBdR1wuGmLbSnUpdFyrPN0dXNycxxRnXWIXra4fJSUZiyFEcAuL/k3
> KpYnLoftD186ahNFK3Lkr7WwBdz++GvHu70sQMlMrmBCcT11njCcq4NCiNejX4Ym
> V2VNS3USKFzd11yj0ZwqfklHftSiTaXdZdFvkAZCEYoyaf8nSf8/e+KXhTsurY4V
> DNFnotxDXEVdGGefFpTHAgMBAAGjggFcMIIBWDALBgNVHQ8EBAMCAYYwDwYDVR0T
> AQH/BAUwAwEB/zAdBgNVHQ4EFgQUOB7pdo+8+LfVt0Fxj0q++le/0OIwggEFBgNV
> HR8Egf0wgfowgfeggfSggfGGgbZsZGFwOi8vL0NOPXJvb3QsQ049Z2lhYXRsMSxD
> Tj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049
> Q29uZmlndXJhdGlvbixEQz1udGdpYSxEQz1naWFubmRyZWEsREM9Y29tP2NlcnRp
> ZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmli
> dXRpb25Qb2ludIY2aHR0cDovL2dpYWF0bDEubnRnaWEuZ2lhbm5kcmVhLmNvbS9D
> ZXJ0RW5yb2xsL3Jvb3QuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEB
> BQUAA4IBAQDRDcOwX4ddK815f/cdrbXgW+TurSHFX1uNq7WWIh8scqXgbf36Re7h
> Gvx7dvVfU6QPkoDmaOJR1fTsJIEG3Lb/rDXzKItAPxa6J1Al78RV1SD+pEFKg9WP
> Wjr5d738qs7W2rG0M/sBm5K/+8aiAKZmcsjP0217vgLiXpJjzMvviB2k1bOhrJjd
> 5j3CxIERXM1rNR2QGt5/r6IJ/2dwmc8jB8xRIeM5JeaIlvDgqZnibfOHBBXQHXl1
> 6SIFqduQ8s+rBmMJ4MCGozffi9Ek32hZFxe5cDonwsq0GRPuzYQsyVOXPU4ScbHF
> FB/l2Y+g6nrWn6NrI8pu/QLFZriBcSop
> -----END CERTIFICATE-----
>
>
>
> -----BEGIN CERTIFICATE-----
> MIIFyzCCBLOgAwIBAgIKcB0BjQAAAAAABzANBgkqhkiG9w0BAQUFADBWMRMwEQYK
> CZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJZ2lhbm5kcmVhMRUwEwYK
> CZImiZPyLGQBGRYFbnRnaWExDTALBgNVBAMTBHJvb3QwHhcNMDYwMzIxMTU1ODIw
> WhcNMDgwMzIwMTU1ODIwWjCBqzELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3Jn
> aWExEDAOBgNVBAcTB0F0bGFudGExFjAUBgNVBAoTDUdpYW5uZHJlYS5jb20xHDAa
> BgNVBAsTE250Z2lhLmdpYW5uZHJlYS5jb20xGjAYBgNVBAMTEXd3dy5naWFubmRy
> ZWEuY29tMSYwJAYJKoZIhvcNAQkBFhd3ZWJtYXN0ZXJAZ2lhbm5kcmVhLmNvbTCB
> nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAotBfMzPglOZkeNyrlM8PEEnNbGjW
> ZkLVYbB90nlTMbEbTaHEbA2TmtMcFrELPFWCDQTxYgDLDWafOtvEGtUrODcsrclH
> JQcEu34FMfIHrXvyMCTwAE2DJFek2GTA7vo3RPvUv2tPaReU+raxsQptQzIPNzS2
> lZD/jhak/v/9CQkCAwEAAaOCAscwggLDMB0GA1UdDgQWBBSqqnMOGkvZVvWY8Vc5
> 7jh35hTINzAfBgNVHSMEGDAWgBQ4Hul2j7z4t9W3QXGPSr76V7/Q4jCCAQUGA1Ud
> HwSB/TCB+jCB96CB9KCB8YaBtmxkYXA6Ly8vQ049cm9vdCxDTj1naWFhdGwxLENO
> PUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
> b25maWd1cmF0aW9uLERDPW50Z2lhLERDPWdpYW5uZHJlYSxEQz1jb20/Y2VydGlm
> aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
> dGlvblBvaW50hjZodHRwOi8vZ2lhYXRsMS5udGdpYS5naWFubmRyZWEuY29tL0Nl
> cnRFbnJvbGwvcm9vdC5jcmwwggEjBggrBgEFBQcBAQSCARUwggERMIGuBggrBgEF
> BQcwAoaBoWxkYXA6Ly8vQ049cm9vdCxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIw
> U2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1udGdpYSxE
> Qz1naWFubmRyZWEsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFz
> cz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MF4GCCsGAQUFBzAChlJodHRwOi8vZ2lh
> YXRsMS5udGdpYS5naWFubmRyZWEuY29tL0NlcnRFbnJvbGwvZ2lhYXRsMS5udGdp
> YS5naWFubmRyZWEuY29tX3Jvb3QuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIA
> UwBlAHIAdgBlAHIwDAYDVR0TAQH/BAIwADALBgNVHQ8EBAMCBaAwEwYDVR0lBAww
> CgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAOcNZdKAy561wcBhlfzgv1qH
> pqvq1MmNp/XPEB5bbGHy1vYEBvQ/yQQdof+oP14pqY4JV5xZ+hoJtTG5BVxqxlD7
> dd5HbAxtp50DhPjmAmdlM/Idcm+69pkvkRT/iub1cPK1wjooiXdGWMXWkeGy+17+
> AwdKAVfd3Qvv8ImTJ4cMABX7vyNeJ8VLsHm57QMcEr3S4Y9JQWyUNYegkRRgWC+x
> ssygrAM85d7igbma9YljGHBj8qlk0X8WLUdow4oVBisS9xmwtzQx6qTDtvnMb/jz
> QPlMIH7gT3LrG7BfPAP9v10sxvepwWWlrguSbRiUOlZZznaXPtmGuJ1o/BwDGq0=
> -----END CERTIFICATE-----
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 2nd Request for help Blackberry 7520 and failed in SSLv3 read client certificate A

Chris Fowler-2
On Wed, 2006-03-29 at 11:19 -0500, David Gianndrea wrote:
> Dr. Henson, have you a few minutes to spare a lost admin?

There is one way to get the attention of those who know to stop what
they are doing and spend cycles on your issue.  That way is PayPal....

Many of us on this list are very busy and don't mind helping when we
have free cycles.  It is part of being in a community but if your
project is urgent there are many consultants on this list that can help
you.  




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: 2nd Request for help Blackberry 7520 and failed in SSLv3 read client certificate A

Dr. Stephen Henson
In reply to this post by David Gianndrea
On Wed, Mar 29, 2006, David Gianndrea wrote:

> I'm sure everyone is real busy like me, but if some one could explain
> this error im getting, and suggest how I could trouble shoot it more
> I would be great full!
>
> Dr. Henson, have you a few minutes to spare a lost admin?
>
>

Not really, I'm seriously busy at the moment. I don't have a blackberry but
all donations would be gratefully received :-)

All I can suggest at present is messing round with a few options to s_server
in particular set the -bugs option and restrict ciphersuites to just RC4 using
the -cipher option.

Also some implementation don't like self signed server certificates. Try
making a real CA and using a certificate signed by it as the server
certificate.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]