Hi everybody!
I am using OpenSER 1.1 with TLS. I have generate the client and server certificate with the scripts gen_rootCA.sh and gen_usercert.sh. Everything works fine, but I have generate certificate for my UA with another CA and I have added this CA to the file user-cacert.pem. When I try to connect with my UA, OpenSER logs an error like:
"tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
My file user-cacert.pem looks like: -------BEGIN CERTIFICATE------ MAOIposio..... --------END CERTIFICATE-------- -------BEGIN CERTIFICATE------ MJ809il...... --------END CERTIFICATE--------
I think that OpenSER takes only the first CA certificate and not all the followings.
Did someone have some experience with that case?
Regards
Greg
Hi Greg!
I have not tested this, but from reading the openssl docs I had the feeling that all the CAs in the ca-file will be used.
Is the CA the only one in the ca-file or are the multiple CAs in the ca-file? Can you try if it works when using only a single CA in the ca-file?
regards klaus
On Sun, November 5, 2006 20:39, Gregoire said:
Hi everybody!
I am using OpenSER 1.1 with TLS. I have generate the client and server certificate with the scripts gen_rootCA.sh and gen_usercert.sh. Everything works fine, but I have generate certificate for my UA with another CA and I have added this CA to the file user-cacert.pem. When I try to connect with my UA, OpenSER logs an error like:
"tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
My file user-cacert.pem looks like: -------BEGIN CERTIFICATE------ MAOIposio..... --------END CERTIFICATE-------- -------BEGIN CERTIFICATE------ MJ809il...... --------END CERTIFICATE--------
I think that OpenSER takes only the first CA certificate and not all the followings.
Did someone have some experience with that case?
Regards
Greg
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi! When a single CA is in the file, there is no problem. But when I put multiple CAs, only the first one is taken. OpenSER doesn't care about the others.
Greg Klaus Darilion wrote:
Hi Greg!
I have not tested this, but from reading the openssl docs I had the feeling that all the CAs in the ca-file will be used.
Is the CA the only one in the ca-file or are the multiple CAs in the ca-file? Can you try if it works when using only a single CA in the ca-file?
regards klaus
On Sun, November 5, 2006 20:39, Gregoire said:
Hi everybody!
I am using OpenSER 1.1 with TLS. I have generate the client and server certificate with the scripts gen_rootCA.sh and gen_usercert.sh. Everything works fine, but I have generate certificate for my UA with another CA and I have added this CA to the file user-cacert.pem. When I try to connect with my UA, OpenSER logs an error like:
"tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
My file user-cacert.pem looks like: -------BEGIN CERTIFICATE------ MAOIposio..... --------END CERTIFICATE-------- -------BEGIN CERTIFICATE------ MJ809il...... --------END CERTIFICATE--------
I think that OpenSER takes only the first CA certificate and not all the followings.
Did someone have some experience with that case?
Regards
Greg
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi Gregoire!
Sorry for the late response - I was at the Openser Summit.
Regarding you problem: openser uses SSL_CTX_load_verify_locations(..) to load the CA. As the docs say (http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html) al the CAs in this file will be used:
... If CAfile is not NULL, it points to a file of CA certificates in PEM format. The file can contain several CA certificates identified by
-----BEGIN CERTIFICATE----- ... (CA certificate in base64 encoding) ... -----END CERTIFICATE-----
sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates. ...
Thus, it should work out of the box. I will try it myself.
regards klaus
Gregoire wrote:
Hi! When a single CA is in the file, there is no problem. But when I put multiple CAs, only the first one is taken. OpenSER doesn't care about the others.
Greg Klaus Darilion wrote:
Hi Greg!
I have not tested this, but from reading the openssl docs I had the feeling that all the CAs in the ca-file will be used.
Is the CA the only one in the ca-file or are the multiple CAs in the ca-file? Can you try if it works when using only a single CA in the ca-file?
regards klaus
On Sun, November 5, 2006 20:39, Gregoire said:
Hi everybody!
I am using OpenSER 1.1 with TLS. I have generate the client and server certificate with the scripts gen_rootCA.sh and gen_usercert.sh. Everything works fine, but I have generate certificate for my UA with another CA and I have added this CA to the file user-cacert.pem. When I try to connect with my UA, OpenSER logs an error like:
"tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
My file user-cacert.pem looks like: -------BEGIN CERTIFICATE------ MAOIposio..... --------END CERTIFICATE-------- -------BEGIN CERTIFICATE------ MJ809il...... --------END CERTIFICATE--------
I think that OpenSER takes only the first CA certificate and not all the followings.
Did someone have some experience with that case?
Regards
Greg
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi Gregoire!
I've tested it and it works for me without problems. Maybe there is a typo in your CA file? I'm having 2 CAs in my ca file - see below.
regards klaus
root@pb94:/home/cert# cat CA.crt adrians ag-project CA cert -----BEGIN CERTIFICATE----- MIIEpzCCA4+gAwIBAgIJAKd1Wdd9aFZyMA0GCSqGSIb3DQEBBQUAMIGXMRwwGgYD VQQDExNBRyBQcm9qZWN0cyBSb290IENBMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5k MQswCQYDVQQGEwJOTDEUMBIGA1UEChMLQUcgUHJvamVjdHMxFDASBgNVBAsTC01h bmFnZWQgRE5TMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGFnLXByb2plY3RzLmNv bTAeFw0wNTEwMzEwNzE4NTZaFw0yNDEyMzAwNzE4NTZaMIGXMRwwGgYDVQQDExNB RyBQcm9qZWN0cyBSb290IENBMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMQswCQYD VQQGEwJOTDEUMBIGA1UEChMLQUcgUHJvamVjdHMxFDASBgNVBAsTC01hbmFnZWQg RE5TMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGFnLXByb2plY3RzLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZoTrGdeLrCOuNE6qMdVaMmYNpv wSWbu7BXsx6FmRQIIcVgeQWLcPyHMpgbTAvNcpKVfytPsNU23h22hTuDe7SnIwuQ R+8//WR3PqZRXQUqhTxLB7xYleYVy+JJZzxHmyworv9Prvzd75j7d/LaZDmfMBp6 qMW/rQkpIrw0f2x55hIciHdIVmPtturVBPuEspcCxM+ZgANSlWmPqLRSIZLvAbwH mWtnA9KwU+fjI9LKKS1aLtOeAKCt9GJEYby4VzO8oOvi6+kVx5izAFKjJAbYDi3c XmQwtsm9i4RZn3qo7lHL6AMOv0AG9rpl2uMrcUHgAlMwBT4+iyDn5k+M/kMCAwEA AaOB8zCB8DAMBgNVHRMEBTADAQH/MEgGA1UdEQRBMD+BF3N1cHBvcnRAYWctcHJv amVjdHMuY29thiRodHRwczovL3NlY3VyZS5kbnMtaG9zdGluZy5pbmZvL3Rscy8w IgYJYIZIAYb4QgENBBUWE0FHIFByb2plY3RzIFJvb3QgQ0EwPQYJYIZIAYb4QgEE BDAWLmh0dHBzOi8vc2VjdXJlLmRucy1ob3N0aW5nLmluZm8vdGxzL2NhLWNybC5w ZW0wMwYJYIZIAYb4QgECBCYWJGh0dHBzOi8vc2VjdXJlLmRucy1ob3N0aW5nLmlu Zm8vdGxzLzANBgkqhkiG9w0BAQUFAAOCAQEAneADorwHv5pmkW1q1JjIPZv/9dRC uTHifZVbJLQCn4lSmWlxtudJmkvCpYhsDucs39i6LrpFPH4MEl1FP0b1o/plh+Uv E6qGaC3bgszb2StLpkY3tou4Xh9QwSJrel6X9RP3p6Lr+COvplblkl6K+xXAmowQ Bn8KYF4P8d8tp0iWbV1sUgQyPVBNsS/2KeSnA/n4+5kbsRVQjiTBW6WM3NBpCrYi nboFV7s07mFEAd8iFSIunpRE6P1PSRJ+G2udweokC3zSQRnL2pWd+EmqB7xto/ZC TT4IGrW/PiAkWHNRxCIZ4RKkeQ1TLRjDPbFOFxJJhysexWNpZKyaE1TqsQ== -----END CERTIFICATE-----
"/etc/certs/fedA/demoCA/cacert.pem" von server1 -----BEGIN CERTIFICATE----- MIIDwTCCAqmgAwIBAgIJAN6Cdw/E8q5rMA0GCSqGSIb3DQEBBQUAMEkxCzAJBgNV BAYTAkFVMQswCQYDVQQIEwJhdDEPMA0GA1UEBxMGVmllbm5hMQ0wCwYDVQQKEwRm ZWRBMQ0wCwYDVQQDEwRmZWRBMB4XDTA2MDQwMjEyNDIxNVoXDTA3MDQwMjEyNDIx NVowSTELMAkGA1UEBhMCQVUxCzAJBgNVBAgTAmF0MQ8wDQYDVQQHEwZWaWVubmEx DTALBgNVBAoTBGZlZEExDTALBgNVBAMTBGZlZEEwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQCp3lvLGBwO0TxPeKvNabhkGztO+MLhr9dT7Qyv82JYytJs g6uuH13GFI8JAWshdW3m0jlTm3yZY2fgTwsdDGAEVh7h1vJ9OBal746U0mgDyHDf NBkkV4RN8B8LvHzpDWZCeZ8jejHex16P16VLphcaS+Ckd2/m/1tGODdEFSbEITjn Fw1A3mycWqwOwiUByFYJq2GKjVf0C2Hhi7fNW8NLAePvd8zEavuizs0RI9tIJRf6 7EW2RqryOAqg8IYgMa63xnkKECgiBrUWC1wDdrLyhX1Ti/AhzrrZibp6hgUXw1J0 08lbYStNjBD8AEXfakxyKDlc885HTQRFs0EYiuilAgMBAAGjgaswgagwHQYDVR0O BBYEFBnNssTPeOxMizyo+YHYeTgmaVZ8MHkGA1UdIwRyMHCAFBnNssTPeOxMizyo +YHYeTgmaVZ8oU2kSzBJMQswCQYDVQQGEwJBVTELMAkGA1UECBMCYXQxDzANBgNV BAcTBlZpZW5uYTENMAsGA1UEChMEZmVkQTENMAsGA1UEAxMEZmVkQYIJAN6Cdw/E 8q5rMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAIOY0q67dMDHgxNG yE1lmSCsnVPpvQksbj2AoCo2eTcExOzfCdltQj0sd8KilE6J1QlvqvFJKulU6o3b AS5FCPGJuUPJGyNAaDFe+BktRIGf/c5OaqUYvEpnr5+ioP+oMzkBuOefN1cev5rH X+oC8DeX5yJQFq5dWTcLxME86ScoQ6c3sDTo0oiCI1nAAhvM/Z/N/rYItqc/ykky 4syHWiBukXscXKaTCvaafRvKenGczKmIpAf/GJ6+BCK/vl0GIOSmGMbErYvkB3dM PMpOjgNzr4WvCWig5PSUjCZsih85dYYp/LvodTVmWInNC6OvlEXxPi/jYQcdEYkz VTIRKmw= -----END CERTIFICATE-----
root@pb94:/home/cert#
Klaus Darilion wrote:
Hi Gregoire!
Sorry for the late response - I was at the Openser Summit.
Regarding you problem: openser uses SSL_CTX_load_verify_locations(..) to load the CA. As the docs say (http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html) al the CAs in this file will be used:
... If CAfile is not NULL, it points to a file of CA certificates in PEM format. The file can contain several CA certificates identified by
-----BEGIN CERTIFICATE----- ... (CA certificate in base64 encoding) ... -----END CERTIFICATE-----
sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates. ...
Thus, it should work out of the box. I will try it myself.
regards klaus
Gregoire wrote:
Hi! When a single CA is in the file, there is no problem. But when I put multiple CAs, only the first one is taken. OpenSER doesn't care about the others.
Greg Klaus Darilion wrote:
Hi Greg!
I have not tested this, but from reading the openssl docs I had the feeling that all the CAs in the ca-file will be used.
Is the CA the only one in the ca-file or are the multiple CAs in the ca-file? Can you try if it works when using only a single CA in the ca-file?
regards klaus
On Sun, November 5, 2006 20:39, Gregoire said:
Hi everybody!
I am using OpenSER 1.1 with TLS. I have generate the client and server certificate with the scripts gen_rootCA.sh and gen_usercert.sh. Everything works fine, but I have generate certificate for my UA with another CA and I have added this CA to the file user-cacert.pem. When I try to connect with my UA, OpenSER logs an error like:
"tls_error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca"
My file user-cacert.pem looks like: -------BEGIN CERTIFICATE------ MAOIposio..... --------END CERTIFICATE-------- -------BEGIN CERTIFICATE------ MJ809il...... --------END CERTIFICATE--------
I think that OpenSER takes only the first CA certificate and not all the followings.
Did someone have some experience with that case?
Regards
Greg
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Gregoire -
Klaus Darilion