curl-users
Re: HTTPS - Authorization with a client's certificate!
Date: Thu, 20 Feb 2003 12:14:14 +1100
The following might help to clarify the problem:
Certificate looks like this:
Bag Attributes
friendlyName: {AE6E9112-FBBD-4A68-91FB-8D6357E2AC48}
localKeyID: 1F 14 7F 98 1F E5 14 70 8A BD FA 1B 0A AE 91 87 B1 18 06
DE
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,F1B26F2E15752895
Uhu1kOcNxHrAxrqltdk1JMYT+8nW05C4GsedIKG6tSdi9CEAaxuCQFwEvEEEB8km
........................................
DdBo96utwSCbrB6nvqV72WWRSBlTcCf6G5LwFUcPZgVD3zT16S8Y+g==
-----END RSA PRIVATE KEY-----
Bag Attributes
friendlyName: {AE6E9112-FBBD-4A68-91FB-8D6357E2AC48}
localKeyID: 1F 14 7F 98 1F E5 14 70 8A BD FA 1B 0A AE 91 87 B1 18 06
DE
subject=/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
Microsoft/CN=Steven Herod/Email=sherod_at_tedis.com.au
issuer= /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. By
Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
Not Validated
-----BEGIN CERTIFICATE-----
MIIEYjCCA8ugAwIBAgIQClEw5AWLJr9SvpNwKJ20zTANBgkqhkiG9w0BAQQFADCB
.................................
xiCRnJI8OGYO8TjXhsrVEl6/COIVaw==
-----END CERTIFICATE-----
I found one difference in the log file after trials from browser and
cURL.
Here is the log:
From browser:
[20/Feb/2003 09:46:51 23415] [trace] OpenSSL: Handshake: start
[20/Feb/2003 09:46:51 23415] [trace] OpenSSL: Loop: before/accept
initialization
[20/Feb/2003 09:46:51 23415] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[20/Feb/2003 09:46:51 23415] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[20/Feb/2003 09:46:51 23415] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[20/Feb/2003 09:46:51 23415] [trace] OpenSSL: Loop: SSLv3 write
certificate request A
[20/Feb/2003 09:46:51 23415] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Feb/2003 09:46:51 23415] [trace] Certificate Verification: depth: 2,
subject: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary Certification
Authority, issuer: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary
Certification Authority
[20/Feb/2003 09:46:51 23415] [trace] Certificate Verification: depth: 1,
subject: /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. By
Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
Not Validated, issuer: /C=US/O=VeriSign, Inc./OU=Class 1 Public Primary
Certification Authority
[20/Feb/2003 09:46:51 23415] [trace] Certificate Verification: depth: 0,
subject: /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
Microsoft/CN=Steven Herod/Email=sherod_at_tedis.com.au, issuer:
/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. By
Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
Not Validated
From cURl:
[20/Feb/2003 09:54:18 23415] [trace] OpenSSL: Handshake: start
[20/Feb/2003 09:54:18 23415] [trace] OpenSSL: Loop: before/accept
initialization
[20/Feb/2003 09:54:20 23415] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[20/Feb/2003 09:54:20 23415] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[20/Feb/2003 09:54:20 23415] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[20/Feb/2003 09:54:20 23415] [trace] OpenSSL: Loop: SSLv3 write key
exchange A
[20/Feb/2003 09:54:20 23415] [trace] OpenSSL: Loop: SSLv3 write
certificate request A
[20/Feb/2003 09:54:20 23415] [trace] OpenSSL: Loop: SSLv3 flush data
[20/Feb/2003 09:54:21 23415] [trace] Certificate Verification: depth: 0,
subject: /O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 -
Microsoft/CN=Steven Herod/Email=sherod_at_tedis.com.au, issuer:
/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. By
Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona
Not Validated
[20/Feb/2003 09:54:21 23415] [error] Certificate Verification: Error
(20): unable to get local issuer certificate
[20/Feb/2003 09:54:21 23415] [trace] OpenSSL: Write: SSLv3 read client
certificate B
[20/Feb/2003 09:54:21 23415] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[20/Feb/2003 09:54:21 23415] [trace] OpenSSL: Exit: error in SSLv3 read
client certificate B
[20/Feb/2003 09:54:21 23415] [error] SSL handshake failed (server
b2b.easyec.biz:443, client 192.168.0.2) (OpenSSL library error follows)
[20/Feb/2003 09:54:21 23415] [error] OpenSSL: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
So as you can see the difference in depth of verification.
This might be a problem of export or convert (pkcs12 to PEM).
How can I set different depth for the certificate's authentication?
Web server's configuration directive value (0-10)
SSLVerifyDepth
doesn't affect the result.
Any Ideas?
Thanks in advance.
Roman Florinskiy
rflorinskiy_at_tedis.com.au
-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
Received on 2003-02-20