Test SSL connection

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Test SSL connection

OpenSSL - User mailing list

Hello,

I use  OpenSSL version is openssl-1.1.0h(Windows) and

I run following command from apps directory

openssl s_server -accept 443 -www

The server in this case use certificate "server.pem"

On client computer I run command

openssl s_client -connect 10.65.48.108:443

On client computer I  get error :

Verify return code: 21 (unable to verify the first certificate)

What is wrong?

Thanks for any help

Mark

 

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Test SSL connection

Walter H.
On 30.05.2018 08:45, Mark Shnaider via openssl-users wrote:

Hello,

I use  OpenSSL version is openssl-1.1.0h(Windows) and

I run following command from apps directory

openssl s_server -accept 443 -www

The server in this case use certificate "server.pem"

On client computer I run command

openssl s_client -connect 10.65.48.108:443

On client computer I  get error :

Verify return code: 21 (unable to verify the first certificate)

What is wrong?

Thanks for any help

Mark

very probable, that the client doesn't have the root ca certificate of the ca certificate that signed server.pem

you should have at least the following

ca.pem  - the root ca
server.pem - the server ssl/tls certificate

Walter

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Test SSL connection

JordanBrown
On 5/30/2018 1:16 AM, Walter H. wrote:
On 30.05.2018 08:45, Mark Shnaider via openssl-users wrote:
[...]

openssl s_client -connect 10.65.48.108:443

[...]
very probable, that the client doesn't have the root ca certificate of the ca certificate that signed server.pem

you should have at least the following

ca.pem  - the root ca
server.pem - the server ssl/tls certificate

And also:  the certificate is unlikely to list an IP address, so it should fail hostname verification.  You need to use a host name in your client connection request, not an IP address.

(Pretty much, you don't ever want to use IP addresses in specifying TLS connections.)
-- 
Jordan Brown, Oracle Solaris

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Test SSL connection

Viktor Dukhovni


> On May 30, 2018, at 4:06 PM, Jordan Brown <[hidden email]> wrote:
>
> And also:  the certificate is unlikely to list an IP address, so it should fail hostname verification.  You need to use a host name in your client connection request, not an IP address.
>
> (Pretty much, you don't ever want to use IP addresses in specifying TLS connections.)

True, but s_client does not do namechecks by default.  You'd have
to request that behaviour with the "-verify_hostname" option.  The
OP does not report doing that, so verification was likely limited
to just checking the trust chain.

A more complete invocation (with 1.1.0 or later) would be:

  openssl s_client \
        -connect $host:$port \
        -CApath $capath \
        -CAfile $cafile \
        -verify $depth \
        -servername $host \
        -verify_hostname $host \
        -verify_return_error

for suitable choices of $capath, $cafile, $depth, $host and $port
and in some cases additional desired options.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Test SSL connection

OpenSSL - User mailing list
In reply to this post by Walter H.

Hello Walter,

I did not found  file ca.pem (root certificate) for testing.

 

Thanks

Mark

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Walter H.
Sent: Wednesday, May 30, 2018 11:17 AM
To: [hidden email]
Subject: Re: [openssl-users] Test SSL connection

 

On 30.05.2018 08:45, Mark Shnaider via openssl-users wrote:

Hello,

I use  OpenSSL version is openssl-1.1.0h(Windows) and

I run following command from apps directory

openssl s_server -accept 443 -www

The server in this case use certificate "server.pem"

On client computer I run command

openssl s_client -connect 10.65.48.108:443

On client computer I  get error :

Verify return code: 21 (unable to verify the first certificate)

What is wrong?

Thanks for any help

Mark

very probable, that the client doesn't have the root ca certificate of the ca certificate that signed server.pem

you should have at least the following

ca.pem  - the root ca
server.pem - the server ssl/tls certificate

Walter


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users