Using the -cert or -key options returns the same
error, this error arises only when I use
the TLSClientVerify demand option as I explained before.
Thanks for your time.
2006/11/6, Howard Chu <hyc(a)symas.com>:
Net Warrior wrote:
> With this configuration everything seems to work fine, but now, what I
> want to do is to force my clients to use a certificate to connect,
> so, if I did not misundestrand it wrong, the demand options is a must.
> So, when I change TLSVerifyClient never to demand. I've get the
> following ( alway on my server )
> linux:/etc/ssl # openssl s_client -connect localhost:636 -state
> -showcerts -CAfile cacert.pem
This invocation of s_client didn't provide the -cert or -key options, so
no client certificate was used. Naturally the handshake fails.
Learn to use the OpenSSL tools.
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=1 /C=AU/ST=Some State/L=City/O=Internet Widgits Pty
> Ltd/OU=Section/CN=localhost/emailAddress= test(a)company.com
> verify return:1
> depth=0 /C=AU/ST=Some Even State/L=City/O=Internet Widgits Pty
> verify return:1
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server certificate request A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client certificate A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL3 alert read:fatal:handshake failure
> SSL_connect:failed in SSLv3 read finished A
> 6274:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1052:SSL alert number 40
> 6274:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> Making some searches in the mailing list I found a guy who had the same
> problem, and he was told that with the
> demand option we force slapd to ask for a client certificate, and that
> the client certificate is a must.
> Well, now, I do not get it, cuz I'm authenticating against myself, with
> teh certificates I generated before,
> maybe ai have to generate a separate pair of certificates, do not know.
> With never, and always it works as suggested by someone in the list, who
> said that first we need try a lower option (never, allow )
> to test if the server works ) my problem is with the demand option.
> What am I mising here?
> Sorry for my stupidity, I do not get it yet.
> Thanks in advance and or your valuable time.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/