Decryption question

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Decryption question

Lee Colclough

Hi,

 

I have created a CA certificate and used it to sign a server and client certificate for my client / server apps.  All the certificate validation seems fine, and the data I send out (it’s a SOAP message) appears to have been encrypted properly, but it’s not being decrypted at the other end.

 

I’m on a WinXP system,  and I have concatenated the key and cert files together in PEM format as instructed.  The error message I get is invalid SOAP message, because when I look at the message received by the server, it’s still encrypted.

 

If anyone has any knowledge of using OpenSSL within gSoap and can help, I can provide more specific detail.

 

Any ideas appreciated,

 

Lee Colclough

Reply | Threaded
Open this post in threaded view
|

Re: Decryption question

Kyle Hamilton
I'm not entirely certain what you're looking at.

The server that hosts the SOAP service must be accessed using TLS or
SSL; this means that the certificate and key need to be available to
the server hosting the service, not (necessarily) the client.  (XML
encryption isn't done yet, according to the docs I'm reading.)

The idea behind SSL and TLS is this: SSL/TLS provide you what is
essentially a socket that you can read from and write to, the same way
you normally would.  This socket passes information through in such a
way that what is sent is what is read, both ways.  The encryption is
handled almost transparently to your application.  If you're getting
garbage at the server end, then you have an issue with the code that's
generating the garbage, not necessarily TLS/SSL.

If I'm missing something, please let me know.  Your report wasn't very
helpful in figuring out what you're doing or how you're doing it.
Your server is gSOAP.  What's your client?  How are they configured
[to the extent that they use encryption]?

-Kyle H

On 2/8/06, Lee Colclough <[hidden email]> wrote:

>
>
>
> Hi,
>
>
>
> I have created a CA certificate and used it to sign a server and client
> certificate for my client / server apps.  All the certificate validation
> seems fine, and the data I send out (it's a SOAP message) appears to have
> been encrypted properly, but it's not being decrypted at the other end.
>
>
>
> I'm on a WinXP system,  and I have concatenated the key and cert files
> together in PEM format as instructed.  The error message I get is invalid
> SOAP message, because when I look at the message received by the server,
> it's still encrypted.
>
>
>
> If anyone has any knowledge of using OpenSSL within gSoap and can help, I
> can provide more specific detail.
>
>
>
> Any ideas appreciated,
>
>
>
> Lee Colclough
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Decryption question

Lee Colclough
In reply to this post by Lee Colclough
Hi, thanks for the response,

Sorry to post something this convoluted to the group, but I need help
and Kyle asked for more info - he may now regret that!  Here is a bit
more detail:

I currently have a GUI executable which calls functions and operations
on a DLL.  What the DLL actually does is immaterial.  My task is to make
the DLL run as Windows service, and allow the GUI to communicate with it
using SOAP (the gSOAP toolkit is being used for this).

With this in mind, I have created an executable wrapper for the DLL, and
made it a SOAP service.  My GUI executable has been turned into a SOAP
client, so now the GUI soap client uses SOAP remote procedure calls to
get the server to do stuff.  Hope you followed that!

The new client server layout works just fine - the soap messaging works,
and the client interacts with the server with no problems via the medium
of SOAP messaging.  However, this breaks when I turn on the SSL stuff
which gSOAP supports using OpenSSL.

gSOAP apparently makes this nice and easy - you have a client and a
server method which you pass the certificate names too, along with the
certificate store, key passwords, dh file etc.  

For testing purposes I run both the client and server on the same
machine, and using OpenSSL command line tools I have generated a root
CA, and used this to sign a server certificate and client certificate
(PEM format).

Now, I don't get any errors at all from the certificates - at first when
I did this I got key errors and hostname mismatch errors, but now
nothing, so I believe I generated the certs properly.

However, when the client sends the SOAP message to the server via https
and the SOAP deserialiser parses it, it is still garbage.  The gSOAP
toolkit provide sent and received log files at both ends - the client
sent file contains a valid SOAP message, the server received file
contains a load of junk (ie: the encrypted SOAP message).

What I am really asking for is this - I generate the certificates as
stated then concatenate the server key to the server cert, and likewise
for the client key and cert. These concatenated PEM files are then used
as the certificates at both ends.  When I do this, the encryption seems
to work but decryption does not.  Do you have any idea of what this
could be, as I am lost!

From what I can see, I think I'm getting confused over what the server
actually wants when it says a certificate - if I have generated a server
certificate and key, is that what it is expecting?

I know I'm presupposing a lot of knowledge of gSOAP, but I don't think
it's gSOAP specific - that's just one method call where I tell it where
to find the certificate.

Still a confusing explanation I know, but it's a confusing problem!

Hope this helps a little, many thanks in advance for anyone who trawled
through all this!

Lee Colclough





-----Original Message-----
[hidden email]] On Behalf Of Kyle Hamilton
Subject: Re: Decryption question

I'm not entirely certain what you're looking at.

The server that hosts the SOAP service must be accessed using TLS or
SSL; this means that the certificate and key need to be available to
the server hosting the service, not (necessarily) the client.  (XML
encryption isn't done yet, according to the docs I'm reading.)

The idea behind SSL and TLS is this: SSL/TLS provide you what is
essentially a socket that you can read from and write to, the same way
you normally would.  This socket passes information through in such a
way that what is sent is what is read, both ways.  The encryption is
handled almost transparently to your application.  If you're getting
garbage at the server end, then you have an issue with the code that's
generating the garbage, not necessarily TLS/SSL.

If I'm missing something, please let me know.  Your report wasn't very
helpful in figuring out what you're doing or how you're doing it.
Your server is gSOAP.  What's your client?  How are they configured
[to the extent that they use encryption]?

-Kyle H

On 2/8/06, Lee Colclough <[hidden email]> wrote:
>
>
>
> Hi,
>
>
>
> I have created a CA certificate and used it to sign a server and
client
> certificate for my client / server apps.  All the certificate
validation
> seems fine, and the data I send out (it's a SOAP message) appears to
have
> been encrypted properly, but it's not being decrypted at the other
end.
>
>
>
> I'm on a WinXP system,  and I have concatenated the key and cert files
> together in PEM format as instructed.  The error message I get is
invalid
> SOAP message, because when I look at the message received by the
server,
> it's still encrypted.
>
>
>
> If anyone has any knowledge of using OpenSSL within gSoap and can
help, I
> can provide more specific detail.
>
>
>
> Any ideas appreciated,
>
>
>
> Lee Colclough
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption question

Kyle Hamilton
In order for a certificate to have any meaning, it must include a
public key (of whatever type), and the private key should be kept
private for that side.

Thus, you've created three keypairs: one for the CA, one for the
server, one for the client.

The CA's certificate is self-signed, and you've given that certificate
to both the server and the client.

The server's certificate is signed by the CA, and you've given it to the server.

The client's certificate is signed by the CA, and you've given it to the client.

Okay.  Now, I understand what you're trying to do -- you're trying to
use SOAP in place of DCOM [which, btw, I applaud :)].  There's a whole
bunch of things that can go wrong on either side -- this is where the
openssl command-line program comes in handy.

What you want to do is manually generate some valid queries and valid
answers to those queries, because what you're going to do is fake the
server, and then fake the client.  To fake the server, get the server
cert and key out and put it into a new directory, name it server.pem,
copy the CA cert to the new directory, name it CA.pem, and then type
the following: 'openssl s_server -accept (portnum) -crlf -cert
server.pem -CAfile CA.pem'  (obviously, you want to replace portnum
with the actual port you're trying to use -- MAKE SURE THAT NOTHING
ELSE IS LISTENING ON IT, OR YOU WILL GET AN ERROR).

Then, use the client to connect to it, and send a request.  If it
comes through properly (i.e., you can read it), the client is
respecting the certificate that the server is sending.  Hit ctrl-c to
stop the server, and then do the same line, except append '-Verify
CA.pem' to the end of it, and then perform the test again.  If it
comes through, then it's not an SSL problem on the client or server
end, and you will have to look at gSOAP for the answer.

To test what the server is sending back to the client, you use almost
the same command, except it's: 'openssl s_client -connect
hostname:port -verify CA.pem -cert client.pem -crlf -CAfile CA.pem'

If you send a valid request via that mechanism, and it's logged as a
valid request on the server side, then your problem is in your
application (or, more specifically, its SOAP client library).

I hope this helps you troubleshoot it. :)

-Kyle H

On 2/8/06, Lee Colclough <[hidden email]> wrote:

> Hi, thanks for the response,
>
> Sorry to post something this convoluted to the group, but I need help
> and Kyle asked for more info - he may now regret that!  Here is a bit
> more detail:
>
> I currently have a GUI executable which calls functions and operations
> on a DLL.  What the DLL actually does is immaterial.  My task is to make
> the DLL run as Windows service, and allow the GUI to communicate with it
> using SOAP (the gSOAP toolkit is being used for this).
>
> With this in mind, I have created an executable wrapper for the DLL, and
> made it a SOAP service.  My GUI executable has been turned into a SOAP
> client, so now the GUI soap client uses SOAP remote procedure calls to
> get the server to do stuff.  Hope you followed that!
>
> The new client server layout works just fine - the soap messaging works,
> and the client interacts with the server with no problems via the medium
> of SOAP messaging.  However, this breaks when I turn on the SSL stuff
> which gSOAP supports using OpenSSL.
>
> gSOAP apparently makes this nice and easy - you have a client and a
> server method which you pass the certificate names too, along with the
> certificate store, key passwords, dh file etc.
>
> For testing purposes I run both the client and server on the same
> machine, and using OpenSSL command line tools I have generated a root
> CA, and used this to sign a server certificate and client certificate
> (PEM format).
>
> Now, I don't get any errors at all from the certificates - at first when
> I did this I got key errors and hostname mismatch errors, but now
> nothing, so I believe I generated the certs properly.
>
> However, when the client sends the SOAP message to the server via https
> and the SOAP deserialiser parses it, it is still garbage.  The gSOAP
> toolkit provide sent and received log files at both ends - the client
> sent file contains a valid SOAP message, the server received file
> contains a load of junk (ie: the encrypted SOAP message).
>
> What I am really asking for is this - I generate the certificates as
> stated then concatenate the server key to the server cert, and likewise
> for the client key and cert. These concatenated PEM files are then used
> as the certificates at both ends.  When I do this, the encryption seems
> to work but decryption does not.  Do you have any idea of what this
> could be, as I am lost!
>
> From what I can see, I think I'm getting confused over what the server
> actually wants when it says a certificate - if I have generated a server
> certificate and key, is that what it is expecting?
>
> I know I'm presupposing a lot of knowledge of gSOAP, but I don't think
> it's gSOAP specific - that's just one method call where I tell it where
> to find the certificate.
>
> Still a confusing explanation I know, but it's a confusing problem!
>
> Hope this helps a little, many thanks in advance for anyone who trawled
> through all this!
>
> Lee Colclough
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Decryption question

Lee Colclough
In reply to this post by Lee Colclough
Fantastic response, just what I needed, thanks Kyle.

Now, I have done as you suggested:

The s_server tests showed a perfect XML message in the s_server window,
so that seems fine.

The s_client test I assumed I had to run in a separate session whiles
the s_server command was still running - output looked like this:

----------------------------------------------------------------
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=Lee.Datadialogs.local
   i:/CN=RootCA
 1 s:/CN=RootCA
   i:/CN=RootCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICUzCCAbygAwIBAgIBAjANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZSb290
Q0EwHhcNMDYwMjA4MTE0MjA4WhcNMDcwMjA4MTE0MjA4WjAgMR4wHAYDVQQDExVM
ZWUuRGF0YWRpYWxvZ3MubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
AOWya4PAjZVC/1gTDJbC0RX0POdZ5umrrQDTbHiQXuA+uyJ7yYGOr9XIX1SSnDs7
H6+x7ljrVplxuzoP6cdyqnNJEmQcLwCDDk5t7j02rh1dsU8OyVrvRK5W7E4D1Gsy
1tX68hr7wCgPfQ264E1ys7C4t4V1E1rOmpTd+UMkBbzRAgMBAAGjgaswgagwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUW5ofzwMKtZErCVSFecubNGop+RUwOQYDVR0j
BDIwMIAUhXyTyG8LFBeIF3l6jdcxM5r9tFuhFaQTMBExDzANBgNVBAMTBlJvb3RD
QYIBATALBgNVHQ8EBAMCBeAwEQYJYIZIAYb4QgEBBAQDAgZAMB4GCWCGSAGG+EIB
DQQRFg94Y2EgY2VydGlmaWNhdGUwDQYJKoZIhvcNAQEEBQADgYEAkH+BLke1qgA+
WjnC/F93ms/ytUuPomnblcS3E2JqMI5rwxnmLom8qAOLAm/txf3s7LImh7FhkVtg
jzLL3nDQv2eKzaptWMQOlH5dukwefkDW+S8uITr8+sPN/Ceq8uQrAHq6vrUt7N7j
qoEJ9CLDwRIIPE3VaP6ssJIO+9pFzNQ=
-----END CERTIFICATE-----
subject=/CN=Lee.Datadialogs.local
issuer=/CN=RootCA
---
Acceptable client certificate CA names
/CN=RootCA
---
SSL handshake has read 1658 bytes and written 1651 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
7D78ADC5D7EC3F0C2A8FE03ED5C512C7DE7A888E5B0352423990802396CCC435
    Session-ID-ctx:
    Master-Key:
A52E61547ADD19440F7C8E27CCCE6AC8EFD0D5553B225E215892B599B1149C8F07B6B714
F45326564A14DD8B59308E3A
    Key-Arg   : None
    Start Time: 1139411553
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
----------------------------------------------------------------

Which seems fine - from then on, whatever I typed in the client window
appeared in the server window, so this is ok too by the sound of it.

One thing you did mention - ' manually generate some valid queries and
valid
answers to those queries' - did you mean manually code some soap
messages and pass them to s_client, to see what the server returns?  No
problem doing this, but how do I get them into s_client?

Thanks again, you've been a lifesaver.

Lee.



-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kyle Hamilton
Sent: 08 February 2006 14:28
To: [hidden email]
Subject: Re: Decryption question

In order for a certificate to have any meaning, it must include a
public key (of whatever type), and the private key should be kept
private for that side.

Thus, you've created three keypairs: one for the CA, one for the
server, one for the client.

The CA's certificate is self-signed, and you've given that certificate
to both the server and the client.

The server's certificate is signed by the CA, and you've given it to the
server.

The client's certificate is signed by the CA, and you've given it to the
client.

Okay.  Now, I understand what you're trying to do -- you're trying to
use SOAP in place of DCOM [which, btw, I applaud :)].  There's a whole
bunch of things that can go wrong on either side -- this is where the
openssl command-line program comes in handy.

What you want to do is manually generate some valid queries and valid
answers to those queries, because what you're going to do is fake the
server, and then fake the client.  To fake the server, get the server
cert and key out and put it into a new directory, name it server.pem,
copy the CA cert to the new directory, name it CA.pem, and then type
the following: 'openssl s_server -accept (portnum) -crlf -cert
server.pem -CAfile CA.pem'  (obviously, you want to replace portnum
with the actual port you're trying to use -- MAKE SURE THAT NOTHING
ELSE IS LISTENING ON IT, OR YOU WILL GET AN ERROR).

Then, use the client to connect to it, and send a request.  If it
comes through properly (i.e., you can read it), the client is
respecting the certificate that the server is sending.  Hit ctrl-c to
stop the server, and then do the same line, except append '-Verify
CA.pem' to the end of it, and then perform the test again.  If it
comes through, then it's not an SSL problem on the client or server
end, and you will have to look at gSOAP for the answer.

To test what the server is sending back to the client, you use almost
the same command, except it's: 'openssl s_client -connect
hostname:port -verify CA.pem -cert client.pem -crlf -CAfile CA.pem'

If you send a valid request via that mechanism, and it's logged as a
valid request on the server side, then your problem is in your
application (or, more specifically, its SOAP client library).

I hope this helps you troubleshoot it. :)

<snip>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Decryption question

Kyle Hamilton
If you're on Win32, just type up the query, copy it, then in the
console window's system menu (alt+spacebar), select 'Edit', and then
'Paste'.

The two programs run in different processes, and don't particularly
care about sessions.  (They're not bound to Windows conventions like
Windows-specific software usually is.)  Just two separate cmd.exe
prompts would be enough.

(The reason I say 'write up a valid answer to the query' is so that
you can paste it into an s_server that you connect your application
to, to ensure that it isn't going to get garbage back.)

-Kyle H

On 2/8/06, Lee Colclough <[hidden email]> wrote:
> Fantastic response, just what I needed, thanks Kyle.
>
> Now, I have done as you suggested:
>
> The s_server tests showed a perfect XML message in the s_server window,
> so that seems fine.
>
> The s_client test I assumed I had to run in a separate session whiles
> the s_server command was still running - output looked like this:

[snipped for brevity]

> Which seems fine - from then on, whatever I typed in the client window
> appeared in the server window, so this is ok too by the sound of it.
>
> One thing you did mention - ' manually generate some valid queries and
> valid
> answers to those queries' - did you mean manually code some soap
> messages and pass them to s_client, to see what the server returns?  No
> problem doing this, but how do I get them into s_client?
>
> Thanks again, you've been a lifesaver.
>
> Lee.
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Kyle Hamilton
> Sent: 08 February 2006 14:28
> To: [hidden email]
> Subject: Re: Decryption question
>
> In order for a certificate to have any meaning, it must include a
> public key (of whatever type), and the private key should be kept
> private for that side.
>
> Thus, you've created three keypairs: one for the CA, one for the
> server, one for the client.
>
> The CA's certificate is self-signed, and you've given that certificate
> to both the server and the client.
>
> The server's certificate is signed by the CA, and you've given it to the
> server.
>
> The client's certificate is signed by the CA, and you've given it to the
> client.
>
> Okay.  Now, I understand what you're trying to do -- you're trying to
> use SOAP in place of DCOM [which, btw, I applaud :)].  There's a whole
> bunch of things that can go wrong on either side -- this is where the
> openssl command-line program comes in handy.
>
> What you want to do is manually generate some valid queries and valid
> answers to those queries, because what you're going to do is fake the
> server, and then fake the client.  To fake the server, get the server
> cert and key out and put it into a new directory, name it server.pem,
> copy the CA cert to the new directory, name it CA.pem, and then type
> the following: 'openssl s_server -accept (portnum) -crlf -cert
> server.pem -CAfile CA.pem'  (obviously, you want to replace portnum
> with the actual port you're trying to use -- MAKE SURE THAT NOTHING
> ELSE IS LISTENING ON IT, OR YOU WILL GET AN ERROR).
>
> Then, use the client to connect to it, and send a request.  If it
> comes through properly (i.e., you can read it), the client is
> respecting the certificate that the server is sending.  Hit ctrl-c to
> stop the server, and then do the same line, except append '-Verify
> CA.pem' to the end of it, and then perform the test again.  If it
> comes through, then it's not an SSL problem on the client or server
> end, and you will have to look at gSOAP for the answer.
>
> To test what the server is sending back to the client, you use almost
> the same command, except it's: 'openssl s_client -connect
> hostname:port -verify CA.pem -cert client.pem -crlf -CAfile CA.pem'
>
> If you send a valid request via that mechanism, and it's logged as a
> valid request on the server side, then your problem is in your
> application (or, more specifically, its SOAP client library).
>
> I hope this helps you troubleshoot it. :)
>
> <snip>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Decryption question

Lee Colclough
In reply to this post by Lee Colclough
Thanks for all your help Kyle, I've ran your tests and I'm now fairly
sure it's not the certificates, it's something weird to do with gSOAP.
I'm off to their user group to whine instead!

Again, thanks for providing so much assistance, I've guessing you've
saved me days of trawling through websites and the book.

Lee.

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Kyle Hamilton
Sent: 08 February 2006 17:39
To: [hidden email]
Subject: Re: Decryption question

If you're on Win32, just type up the query, copy it, then in the
console window's system menu (alt+spacebar), select 'Edit', and then
'Paste'.

The two programs run in different processes, and don't particularly
care about sessions.  (They're not bound to Windows conventions like
Windows-specific software usually is.)  Just two separate cmd.exe
prompts would be enough.

(The reason I say 'write up a valid answer to the query' is so that
you can paste it into an s_server that you connect your application
to, to ensure that it isn't going to get garbage back.)

-Kyle H

On 2/8/06, Lee Colclough <[hidden email]> wrote:
> Fantastic response, just what I needed, thanks Kyle.
>
> Now, I have done as you suggested:
>
> The s_server tests showed a perfect XML message in the s_server
window,
> so that seems fine.
>
> The s_client test I assumed I had to run in a separate session whiles
> the s_server command was still running - output looked like this:

[snipped for brevity]

> Which seems fine - from then on, whatever I typed in the client window
> appeared in the server window, so this is ok too by the sound of it.
>
> One thing you did mention - ' manually generate some valid queries and
> valid
> answers to those queries' - did you mean manually code some soap
> messages and pass them to s_client, to see what the server returns?
No

> problem doing this, but how do I get them into s_client?
>
> Thanks again, you've been a lifesaver.
>
> Lee.
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Kyle Hamilton
> Sent: 08 February 2006 14:28
> To: [hidden email]
> Subject: Re: Decryption question
>
> In order for a certificate to have any meaning, it must include a
> public key (of whatever type), and the private key should be kept
> private for that side.
>
> Thus, you've created three keypairs: one for the CA, one for the
> server, one for the client.
>
> The CA's certificate is self-signed, and you've given that certificate
> to both the server and the client.
>
> The server's certificate is signed by the CA, and you've given it to
the
> server.
>
> The client's certificate is signed by the CA, and you've given it to
the

> client.
>
> Okay.  Now, I understand what you're trying to do -- you're trying to
> use SOAP in place of DCOM [which, btw, I applaud :)].  There's a whole
> bunch of things that can go wrong on either side -- this is where the
> openssl command-line program comes in handy.
>
> What you want to do is manually generate some valid queries and valid
> answers to those queries, because what you're going to do is fake the
> server, and then fake the client.  To fake the server, get the server
> cert and key out and put it into a new directory, name it server.pem,
> copy the CA cert to the new directory, name it CA.pem, and then type
> the following: 'openssl s_server -accept (portnum) -crlf -cert
> server.pem -CAfile CA.pem'  (obviously, you want to replace portnum
> with the actual port you're trying to use -- MAKE SURE THAT NOTHING
> ELSE IS LISTENING ON IT, OR YOU WILL GET AN ERROR).
>
> Then, use the client to connect to it, and send a request.  If it
> comes through properly (i.e., you can read it), the client is
> respecting the certificate that the server is sending.  Hit ctrl-c to
> stop the server, and then do the same line, except append '-Verify
> CA.pem' to the end of it, and then perform the test again.  If it
> comes through, then it's not an SSL problem on the client or server
> end, and you will have to look at gSOAP for the answer.
>
> To test what the server is sending back to the client, you use almost
> the same command, except it's: 'openssl s_client -connect
> hostname:port -verify CA.pem -cert client.pem -crlf -CAfile CA.pem'
>
> If you send a valid request via that mechanism, and it's logged as a
> valid request on the server side, then your problem is in your
> application (or, more specifically, its SOAP client library).
>
> I hope this helps you troubleshoot it. :)
>
> <snip>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]