MTLS verification fails

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MTLS verification fails

salil GK
Hi

   I am new to certificate management domain. We have a MTLS server. I am trying to debug the issues between the certificate validation between client and server.

   I used openssl s_client and s_server command to verify if the certificates are in good shape.
But while doing so - I am getting the following error. 

    #$ openssl s_client -cert tomcat.pem  -key tomcat_priv.pem  -CAfile ca.pem -connect lrc1.cisco.com:8446


    ----- 


    #$ openssl s_server -key privkey.pem -cert server.pem  -accept 8446 -verify ca.pem                   

    verify depth is 0

    Using default temp DH parameters

    ACCEPT

    depth=2 O = Cisco Systems, CN = trca-4096-sha2

    verify error:num=19:self signed certificate in certificate chain

    ERROR

    verify error:self signed certificate in certificate chain

    140011871301248:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3427:

    shutting down SSL

    CONNECTION CLOSED


What is the meaning of this error and how do I correct this - ?

Thanks
~S

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: MTLS verification fails

Viktor Dukhovni


> On Mar 5, 2018, at 12:58 AM, salil GK <[hidden email]> wrote:
>
> openssl s_client -cert tomcat.pem  -key tomcat_priv.pem  -CAfile ca.pem -connect lrc1.cisco.com:8446
>
>     -----
>
>     #$ openssl s_server -key privkey.pem -cert server.pem  -accept 8446 -verify ca.pem                  
>     verify depth is 0
>     Using default temp DH parameters
>     ACCEPT
>     depth=2 O = Cisco Systems, CN = trca-4096-sha2
>     verify error:num=19:self signed certificate in certificate chain
>     ERROR
>     verify error:self signed certificate in certificate chain
>     140011871301248:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3427:
>     shutting down SSL
>     CONNECTION CLOSED
>
> What is the meaning of this error and how do I correct this - ?

You have not specified a "-CAfile" or "-CApath" option telling "s_server" where to
look for the "O = Cisco Systems, CN = trca-4096-sha2" trusted issuer CA certificate.

You've also incorrectly specified the "-verify" option, which certainly
does not help.

  https://www.openssl.org/docs/man1.0.2/apps/openssl-s_server.html

   -verify depth, -Verify depth

    The verify depth to use. This specifies the maximum length of the
    client certificate chain and makes the server request a certificate
    from the client. With the -verify option a certificate is requested
    but the client does not have to send one, with the -Verify option
    the client must supply a certificate or an error occurs.

    If the ciphersuite cannot request a client certificate (for example
    an anonymous ciphersuite or PSK) this option has no effect.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: MTLS verification fails

Kyle Hamilton
In reply to this post by salil GK
> #$ openssl s_server -key privkey.pem -cert server.pem  -accept 8446 -verify ca.pem

Change the '-verify' to '-CAfile' and it might work.

-Kyle H

On Sun, Mar 4, 2018 at 9:58 PM, salil GK <[hidden email]> wrote:
>
>     #$ openssl s_client -cert tomcat.pem  -key tomcat_priv.pem  -CAfile
> ca.pem -connect lrc1.cisco.com:8446
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users