Forum Discussion
Muhammad_Irfan1
Cirrus
CirrusHi here is the output of the openssl. Can establish SSl handshake please help.
output is in the comment as formating here is strange.
9 Replies
Muhammad_Irfan1OpenSSL> s_client -connect 10.50.171.5:7777 -CAfile "F:\irfan-cert\CARoot.cer" Loading 'screen' into random state - done CONNECTED(000000F8) depth=3 CN = Mobilink-PKI-Root verify return:1 depth=2 CN = Mobilink-PKI-SubCA verify return:1 depth=1 DC = pk, DC = net, DC = mobilink, CN = Mobilink-PKI-ISS1 verify return:1 depth=0 C = PK, ST = punjab, L = lahore, O = mobilink, OU = FRF, CN = 10.50.171. 5, emailAddress = abbas.malik@mobilink.net verify return:1 6228:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s 3_pkt.c:1256:SSL alert number 40 6228:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177 : --- Certificate chain 0 s:/C=PK/ST=punjab/L=lahore/O=mobilink/OU=FRF/CN=10.50.171.5/emailAddress=abba s.malik@mobilink.net i:/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 1 s:/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 i:/CN=Mobilink-PKI-SubCA 2 s:/CN=Mobilink-PKI-SubCA i:/CN=Mobilink-PKI-Root 3 s:/CN=Mobilink-PKI-Root i:/CN=Mobilink-PKI-Root --- Server certificate -----BEGIN CERTIFICATE----- MIIF0TCCBTqgAwIBAgIKLNi+LAABABv8OzANBgkqhkiG9w0BAQUFADBfMRIwEAYK CZImiZPyLGQBGRYCcGsxEzARBgoJkiaJk/IsZAEZFgNuZXQxGDAWBgoJkiaJk/Is ZAEZFghtb2JpbGluazEaMBgGA1UEAxMRTW9iaWxpbmstUEtJLUlTUzEwHhcNMTQx MTA1MTE1MjAzWhcNMTUwMzI1MDY0MzQ1WjCBjzELMAkGA1UEBhMCUEsxDzANBgNV BAgTBnB1bmphYjEPMA0GA1UEBxMGbGFob3JlMREwDwYDVQQKEwhtb2JpbGluazEM MAoGA1UECxMDRlJGMRQwEgYDVQQDEwsxMC41MC4xNzEuNTEnMCUGCSqGSIb3DQEJ ARYYYWJiYXMubWFsaWtAbW9iaWxpbmsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQCmsoRDy/xBlj0cN1X/V7On63Nr8+SoH58Vnx6Fszv4BvWafjVbmo4S P35SNKN/azzHf5WnvFvsk/u2Rl1942qKR6UEY4utbPwo9GhM4LX3FX4z1ufLJiWk xJOaux1t9iNqQTwVFhVhrommr4Qt3oWLIdnEzr+CUK5WUezD7E0lNQIDAQABo4ID YTCCA10wHQYDVR0OBBYEFBEr2m+i79e6Qyrxrp7qXT6c2Dm8MB8GA1UdIwQYMBaA FAzu6jXBTbHN96A6WMH6x+4k2DBuMIIBWgYDVR0fBIIBUTCCAU0wggFJoIIBRaCC AUGGgcRsZGFwOi8vL0NOPU1vYmlsaW5rLVBLSS1JU1MxLENOPU1PQklMTkstSVNT MSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs Q049Q29uZmlndXJhdGlvbixEQz1tb2JpbGluayxEQz1uZXQsREM9cGs/Y2VydGlm aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1 dGlvblBvaW50hkRodHRwOi8vbW9iaWxuay1pc3MxLm1vYmlsaW5rLm5ldC5way9D ZXJ0RW5yb2xsL01vYmlsaW5rLVBLSS1JU1MxLmNybIYyaHR0cDovL2NlcnQubW9i aWxpbmsubmV0L1BraS9Nb2JpbGluay1QS0ktSVNTMS5jcmwwggE+BggrBgEFBQcB AQSCATAwggEsMIG3BggrBgEFBQcwAoaBqmxkYXA6Ly8vQ049TW9iaWxpbmstUEtJ LUlTUzEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bW9iaWxpbmssREM9bmV0LERDPXBrP2NB Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y aXR5MHAGCCsGAQUFBzAChmRodHRwOi8vbW9iaWxuay1pc3MxLm1vYmlsaW5rLm5l dC5way9DZXJ0RW5yb2xsL01PQklMTkstSVNTMS5tb2JpbGluay5uZXQucGtfTW9i aWxpbmstUEtJLUlTUzEoMSkuY3J0MAsGA1UdDwQEAwIFoDA8BgkrBgEEAYI3FQcE LzAtBiUrBgEEAYI3FQiDstUxz68uhZWBLYKT9VSG65EGAIWgvAqEwb1PAgFlAgEE MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUH AwEwDQYJKoZIhvcNAQEFBQADgYEA4SoS7d+2saQmx3n2/d+eoBJDzagrYQYGJFle QH4vykZTmT4TIayMEJOqYq5fIUcZ6UlMYIDW5Uyiwa0iObXTi+1FA1ZB1extnPfl CAv4Rqs0V2HA5vzmS3Ge8aJ0KjJXXlZOZCHpAG3pJsdVZLtWbCu/8pRAOd8iGRgh PdNNXJg= -----END CERTIFICATE----- subject=/C=PK/ST=punjab/L=lahore/O=mobilink/OU=FRF/CN=10.50.171.5/emailAddress=a bbas.malik@mobilink.net issuer=/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 --- Acceptable client certificate CA names /DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 /CN=Mobilink-PKI-SubCA /CN=Mobilink-PKI-Root --- SSL handshake has read 6337 bytes and written 198 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : RC4-SHA Session-ID: 7FBA71D93410222F09FCE95D43119ED1936C37F47847EDAF6E4512C30D227ABD Session-ID-ctx: Master-Key: ACC9062AB465DD716BAE6033B700F35B6ED79FB3989865ACBCAF37B10BEBD418 C074F8385328680A63C65CF1AE514974 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1415606201 Timeout : 300 (sec) Verify return code: 0 (ok) --- error in s_client
kunjan_118660Cumulonimbus
Is the client SSL profile configured for client certificate request?
If yes, need to provide the client certificate as well.
https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14819.html
openssl s_client -connect virtual_server:port -key client_key -cert client_cert- Muhammad_Irfan1Actually story starts as client asked for .CSR file. i created a .CSR file and provided it to client. they gave us a certificate in .crt format. Which i uploaded in that file which already had the private key and no certificate in F5. Then i uploaded the whole chain in Trusted certificate authorities and also in browser and this was the error which i posted in question.
- Muhammad_Irfan1Yes client side SSL profile is set to require. and CA bundle is uploaded in Trusted certificate Authorities
- Muhammad_Irfan1curl output. [root@www:Active:Changes Pending] config curl -iv https://10.50.171.5:7777/ * About to connect() to 10.50.171.5 port 7777 (0) * Trying 10.50.171.5... connected * Connected to 10.50.171.5 (10.50.171.5) port 7777 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection 0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
kunjanNimbostratus
Is the client SSL profile configured for client certificate request?
If yes, need to provide the client certificate as well.
https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14819.html
openssl s_client -connect virtual_server:port -key client_key -cert client_cert- Muhammad_Irfan1Actually story starts as client asked for .CSR file. i created a .CSR file and provided it to client. they gave us a certificate in .crt format. Which i uploaded in that file which already had the private key and no certificate in F5. Then i uploaded the whole chain in Trusted certificate authorities and also in browser and this was the error which i posted in question.
- Muhammad_Irfan1Yes client side SSL profile is set to require. and CA bundle is uploaded in Trusted certificate Authorities
- Muhammad_Irfan1curl output. [root@www:Active:Changes Pending] config curl -iv https://10.50.171.5:7777/ * About to connect() to 10.50.171.5 port 7777 (0) * Trying 10.50.171.5... connected * Connected to 10.50.171.5 (10.50.171.5) port 7777 (0) * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection 0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
