Forum Discussion
CirrusVerify code 0 OK but hand shake fail.
Pleas anyone help. I created a .CSR file and gave it to client, client returned a certificate.crt which i uploaded in to F5 to take file which already have private key. I created client side ssl profile and put that certificate in it and also made a bundle out of whole chain and put it in Trusted certificate authorities. Also put all the certificates in the client browser. Only thing missing in client browser is private key of certificate.
Now everything works why i set client authentication to request or ignore. But when i set it to require handshake fails. here is the output of open ssl. Please tell me what is going on. Output is in comment.
3 Replies
Muhammad_Irfan1OpenSSL> s_client -connect 10.50.171.5:7777 -CAfile "F:\irfan-cert\CARoot.cer" Loading 'screen' into random state - done CONNECTED(000000B4) depth=3 CN = Mobilink-PKI-Root verify return:1 depth=2 CN = Mobilink-PKI-SubCA verify return:1 depth=1 DC = pk, DC = net, DC = mobilink, CN = Mobilink-PKI-ISS1 verify return:1 depth=0 C = PK, ST = punjab, L = lahore, O = mobilink, OU = FRF, CN = 10.50.171. 5, emailAddress = abbas.malik@mobilink.net verify return:1 7084:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s 3_pkt.c:1256:SSL alert number 40 7084:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177 : --- Certificate chain 0 s:/C=PK/ST=punjab/L=lahore/O=mobilink/OU=FRF/CN=10.50.171.5/emailAddress=abba s.malik@mobilink.net i:/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 1 s:/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 i:/CN=Mobilink-PKI-SubCA 2 s:/CN=Mobilink-PKI-SubCA i:/CN=Mobilink-PKI-Root 3 s:/CN=Mobilink-PKI-Root i:/CN=Mobilink-PKI-Root --- Server certificate -----BEGIN CERTIFICATE----- MIIF0TCCBTqgAwIBAgIKLNi+LAABABv8OzANBgkqhkiG9w0BAQUFADBfMRIwEAYK CZImiZPyLGQBGRYCcGsxEzARBgoJkiaJk/IsZAEZFgNuZXQxGDAWBgoJkiaJk/Is ZAEZFghtb2JpbGluazEaMBgGA1UEAxMRTW9iaWxpbmstUEtJLUlTUzEwHhcNMTQx MTA1MTE1MjAzWhcNMTUwMzI1MDY0MzQ1WjCBjzELMAkGA1UEBhMCUEsxDzANBgNV BAgTBnB1bmphYjEPMA0GA1UEBxMGbGFob3JlMREwDwYDVQQKEwhtb2JpbGluazEM MAoGA1UECxMDRlJGMRQwEgYDVQQDEwsxMC41MC4xNzEuNTEnMCUGCSqGSIb3DQEJ ARYYYWJiYXMubWFsaWtAbW9iaWxpbmsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQCmsoRDy/xBlj0cN1X/V7On63Nr8+SoH58Vnx6Fszv4BvWafjVbmo4S P35SNKN/azzHf5WnvFvsk/u2Rl1942qKR6UEY4utbPwo9GhM4LX3FX4z1ufLJiWk xJOaux1t9iNqQTwVFhVhrommr4Qt3oWLIdnEzr+CUK5WUezD7E0lNQIDAQABo4ID YTCCA10wHQYDVR0OBBYEFBEr2m+i79e6Qyrxrp7qXT6c2Dm8MB8GA1UdIwQYMBaA FAzu6jXBTbHN96A6WMH6x+4k2DBuMIIBWgYDVR0fBIIBUTCCAU0wggFJoIIBRaCC AUGGgcRsZGFwOi8vL0NOPU1vYmlsaW5rLVBLSS1JU1MxLENOPU1PQklMTkstSVNT MSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs Q049Q29uZmlndXJhdGlvbixEQz1tb2JpbGluayxEQz1uZXQsREM9cGs/Y2VydGlm aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1 dGlvblBvaW50hkRodHRwOi8vbW9iaWxuay1pc3MxLm1vYmlsaW5rLm5ldC5way9D ZXJ0RW5yb2xsL01vYmlsaW5rLVBLSS1JU1MxLmNybIYyaHR0cDovL2NlcnQubW9i aWxpbmsubmV0L1BraS9Nb2JpbGluay1QS0ktSVNTMS5jcmwwggE+BggrBgEFBQcB AQSCATAwggEsMIG3BggrBgEFBQcwAoaBqmxkYXA6Ly8vQ049TW9iaWxpbmstUEtJ LUlTUzEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bW9iaWxpbmssREM9bmV0LERDPXBrP2NB Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y aXR5MHAGCCsGAQUFBzAChmRodHRwOi8vbW9iaWxuay1pc3MxLm1vYmlsaW5rLm5l dC5way9DZXJ0RW5yb2xsL01PQklMTkstSVNTMS5tb2JpbGluay5uZXQucGtfTW9i aWxpbmstUEtJLUlTUzEoMSkuY3J0MAsGA1UdDwQEAwIFoDA8BgkrBgEEAYI3FQcE LzAtBiUrBgEEAYI3FQiDstUxz68uhZWBLYKT9VSG65EGAIWgvAqEwb1PAgFlAgEE MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUH AwEwDQYJKoZIhvcNAQEFBQADgYEA4SoS7d+2saQmx3n2/d+eoBJDzagrYQYGJFle QH4vykZTmT4TIayMEJOqYq5fIUcZ6UlMYIDW5Uyiwa0iObXTi+1FA1ZB1extnPfl CAv4Rqs0V2HA5vzmS3Ge8aJ0KjJXXlZOZCHpAG3pJsdVZLtWbCu/8pRAOd8iGRgh PdNNXJg= -----END CERTIFICATE----- subject=/C=PK/ST=punjab/L=lahore/O=mobilink/OU=FRF/CN=10.50.171.5/emailAddress=a bbas.malik@mobilink.net issuer=/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 --- Acceptable client certificate CA names /DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 /CN=Mobilink-PKI-SubCA /CN=Mobilink-PKI-Root --- SSL handshake has read 6337 bytes and written 198 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : RC4-SHA Session-ID: 16FA60494CC614EA972C45C5784E64ECAB0E0296F931240BC0F30F65B34E2918 Session-ID-ctx: Master-Key: 519B4A6034B66FDC409514D6659ACFEECEC60E8B295D7E0FF7D96B3C74889071 594D5530DF2C9E6823BD0838687761EE Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1415789671 Timeout : 300 (sec) Verify return code: 0 (ok) --- error in s_client OpenSSL>- What_Lies_Bene1
Cirrostratus
If your client is not sending a certificate and you have Client Authentication set with Require of course it will fail; you are requiring the client authenticates itself with a certificate but not sending one.
What do you actually want?
- What_Lies_Bene1
Your s_client command does not include parameters for the client certificate that should be sent. You need to use the
parameter and specifiy the client certificate. You don't need to specify the CA file as its the server verifying the certificate.-cert certnameWhere IE is concerned you DO NOT need to install the private key. Also, again, you do not need to install any CA or CA bundle files unless these are required to verify the SERVER certificate.
Which version of IE please? Where are you installing the certificate, are you using the Personal tab?
