LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Server and Client process using Openssl: Error: no client certificate available (http://www.linuxquestions.org/questions/linux-security-4/server-and-client-process-using-openssl-error-no-client-certificate-available-682317/)

lokesh_c2004 11-10-2008 05:53 AM

Server and Client process using Openssl: Error: no client certificate available
 
Hi,

I have to setup a https connection between two machines (from command line).
I tried to use openssl command as per the below example,
(Please follows the steps 1,2,3,4. Sorry for the lengthy post...)

Server:
========
1. Create a Private CA
------------------------

Change to working directory
$ cd ~/certs
Create a directory structure for openssl to store some stuff in. This may require updating the configuration in /usr/share/ssl/openssl.cnf.
$ mkdir -p DPSI-CA/certs
$ mkdir -p DPSI-CA/crl
$ mkdir -p DPSI-CA/newcerts
$ mkdir -p DPSI-CA/private
$ touch DPSI-CA/index.txt
$ touch DPSI-CA/private/.rand
$ echo 01 >DPSI-CA/serial
Create the self-signed key and cert
$ openssl req -new -x509 -keyout DPSIkey.pem -out DPSIcert.pem -days 3650
Use a good passphrase when prompted for one.
Use reasonable values for the remaining questions
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]:DPSI
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, your name or your server's hostname) []:dpsi-corp.com
Email Address []:
The new CA private key will be in DPSIkey.pem. The public key is in DPSIcert.pem

2. Finally start the https server:
----------------------------------
openssl s_server -accept 443 -key server.pem -cert DPSIcert.pem -www
Enter pass phrase for server.pem:
Using default temp DH parameters
ACCEPT


Client:
========
3. Start a client process:
--------------------------
openssl s_client -connect 10.232.228.16:443

CONNECTED(00000003)
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify return:1
---
Certificate chain
0 s:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
i:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIJAL4J0PJSnjfhMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
BAYTAmluMRIwEAYDVQQIEwlrYXJuYXRha2ExEjAQBgNVBAcTCWJhbmdhbG9yZTER
MA8GA1UEChMIbW90b3JvbGExDDAKBgNVBAsTA2hubTEMMAoGA1UEAxMDbW1lMB4X
DTA4MTEwODE1MjU1M1oXDTE4MTEwNjE1MjU1M1owZDELMAkGA1UEBhMCaW4xEjAQ
BgNVBAgTCWthcm5hdGFrYTESMBAGA1UEBxMJYmFuZ2Fsb3JlMREwDwYDVQQKEwht
b3Rvcm9sYTEMMAoGA1UECxMDaG5tMQwwCgYDVQQDEwNtbWUwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAOdYjsP9c68EOIOhxpSXOFtuVgDKZ7rWwrimbNHf/0PP
ymo+jbyj7bCWtXE3di36iCSzKySr9FlQDoPze2TG63RiuxsJ+sj4bVIvTlVgxIpJ
OsV3zYB01EgoHRsag5qqcuVJ8aPfyK6jyz38vYMeLYKdauV5Q8IhY7n1lqyp/Xld
AgMBAAGjgckwgcYwHQYDVR0OBBYEFMqlYhVvKuTvDUc23WhuAcZKJXNKMIGWBgNV
HSMEgY4wgYuAFMqlYhVvKuTvDUc23WhuAcZKJXNKoWikZjBkMQswCQYDVQQGEwJp
bjESMBAGA1UECBMJa2FybmF0YWthMRIwEAYDVQQHEwliYW5nYWxvcmUxETAPBgNV
BAoTCG1vdG9yb2xhMQwwCgYDVQQLEwNobm0xDDAKBgNVBAMTA21tZYIJAL4J0PJS
njfhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg69t5UxBsTgS+1aD
xwTGJXJp6qjqSkNKEaA3ccVUWCDMVxwyF2g5itC9K8HBr606Ebp5QJvMFJmUn8mX
EiEJ2JtvqNAcCItSosW4bqXbpAJv2FDIk9y8qI17QJHTVEWxX7okgjGxggmTKU4+
RDTd6BygKpFUWTJsMHAVhXr3IQE=
-----END CERTIFICATE-----
subject=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
issuer=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
No client certificate CA names sent
---
SSL handshake has read 1224 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: C1B1CEA206A7F1B319A2BE3E2EC66D5DD283935F4571C97F2E0D5882D9D539A4
Session-ID-ctx:
Master-Key: E806F1FD034FD9929D546518D76AEE9F2F1E87978865061B42C954EED7C81C96ACD4497B90F6B16B475A8082893358EF
Key-Arg : None
Krb5 Principal: None
Start Time: 1226334026
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---



4. Now try to fetch a webpage:
-------------------------------

GET index.html
HTTP/1.0 200 ok
Content-type: text/html

<HTML><BODY BGCOLOR="#ffffff">
<pre>

s_server -accept 443 -key server.pem -cert DPSIcert.pem -www
Ciphers supported in s_server binary
TLSv1/SSLv3:DHE-RSA-AES256-SHA TLSv1/SSLv3:DHE-DSS-AES256-SHA
TLSv1/SSLv3:AES256-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA TLSv1/SSLv3:DES-CBC3-SHA
SSLv2 :DES-CBC3-MD5 TLSv1/SSLv3:DHE-RSA-AES128-SHA
TLSv1/SSLv3:DHE-DSS-AES128-SHA TLSv1/SSLv3:AES128-SHA
SSLv2 :RC2-CBC-MD5 TLSv1/SSLv3:DHE-DSS-RC4-SHA
TLSv1/SSLv3:EXP-KRB5-RC4-MD5 TLSv1/SSLv3:EXP-KRB5-RC4-SHA
TLSv1/SSLv3:KRB5-RC4-MD5 TLSv1/SSLv3:KRB5-RC4-SHA
TLSv1/SSLv3:RC4-SHA TLSv1/SSLv3:RC4-MD5
SSLv2 :RC4-MD5 TLSv1/SSLv3:KRB5-DES-CBC3-MD5
TLSv1/SSLv3:KRB5-DES-CBC3-SHA SSLv2 :RC4-64-MD5
TLSv1/SSLv3:EXP1024-DHE-DSS-DES-CBC-SHATLSv1/SSLv3:EXP1024-DES-CBC-SHA
TLSv1/SSLv3:EXP1024-RC2-CBC-MD5 TLSv1/SSLv3:KRB5-DES-CBC-MD5
TLSv1/SSLv3:KRB5-DES-CBC-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA TLSv1/SSLv3:DES-CBC-SHA
SSLv2 :DES-CBC-MD5 TLSv1/SSLv3:EXP1024-DHE-DSS-RC4-SHA
TLSv1/SSLv3:EXP1024-RC4-SHA TLSv1/SSLv3:EXP1024-RC4-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-MD5 TLSv1/SSLv3:EXP-KRB5-DES-CBC-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-SHA TLSv1/SSLv3:EXP-KRB5-DES-CBC-SHA
TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA
TLSv1/SSLv3:EXP-DES-CBC-SHA TLSv1/SSLv3:EXP-RC2-CBC-MD5
SSLv2 :EXP-RC2-CBC-MD5 TLSv1/SSLv3:EXP-RC4-MD5
SSLv2 :EXP-RC4-MD5
---
Ciphers common between both SSL end points:
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA
EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA
DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA
DHE-DSS-RC4-SHA RC4-SHA RC4-MD5
EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-RC2-CBC-MD5
EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA EXP1024-RC4-SHA EXP1024-RC4-MD5
EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5 EXP-RC4-MD5
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: C1B1CEA206A7F1B319A2BE3E2EC66D5DD283935F4571C97F2E0D5882D9D539A4
Session-ID-ctx: 01000000
Master-Key: E806F1FD034FD9929D546518D76AEE9F2F1E87978865061B42C954EED7C81C96ACD4497B90F6B16B475A8082893358EF
Key-Arg : None
Krb5 Principal: None
Start Time: 1226332902
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
1 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
---
no client certificate available
</BODY></HTML>

read:errno=0




So finally, i'm struct here trying to figure out what is wrong...
Could anybody help me on this...
Thanks in advance,
Lokesh.C

chort 11-10-2008 09:12 AM

It didn't send a client certificate because you didn't tell it to.
http://www.openssl.org/docs/apps/s_client.html

lokesh_c2004 11-10-2008 09:30 AM

Now i tried as follows,

1. Connect to the Server:
-------------------------
openssl s_client -connect 10.232.228.16:443 -cert client.crt -key client.key

CONNECTED(00000003)
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify return:1
---
Certificate chain
0 s:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
i:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIJANTGhHNntB6BMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
BAYTAmluMRIwEAYDVQQIEwlrYXJuYXRha2ExEjAQBgNVBAcTCWJhbmdhbG9yZTER
MA8GA1UEChMIbW90b3JvbGExDDAKBgNVBAsTA2hubTEMMAoGA1UEAxMDbW1lMB4X
DTA4MTExMDE4MzU0NloXDTEzMTEwOTE4MzU0NlowZDELMAkGA1UEBhMCaW4xEjAQ
BgNVBAgTCWthcm5hdGFrYTESMBAGA1UEBxMJYmFuZ2Fsb3JlMREwDwYDVQQKEwht
b3Rvcm9sYTEMMAoGA1UECxMDaG5tMQwwCgYDVQQDEwNtbWUwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAO1QqL7NoXAHTyOyFEaCi0WCMxsauHrCaytXEzBqDSp6
up2vj8T2c96hHF4ag3hWCVY56iUcNlrBn1qjPox54gyKORk862fFicqWQNxb/9+K
WbhXOr9B0U7FmB8G75KMXlwrXPkjZAj+A2P7CvittSCSTMle9ruAx2TIkj0MA9ZP
AgMBAAGjgckwgcYwHQYDVR0OBBYEFAOidCKSBG4ZW0f/tCLV1uPCI/6CMIGWBgNV
HSMEgY4wgYuAFAOidCKSBG4ZW0f/tCLV1uPCI/6CoWikZjBkMQswCQYDVQQGEwJp
bjESMBAGA1UECBMJa2FybmF0YWthMRIwEAYDVQQHEwliYW5nYWxvcmUxETAPBgNV
BAoTCG1vdG9yb2xhMQwwCgYDVQQLEwNobm0xDDAKBgNVBAMTA21tZYIJANTGhHNn
tB6BMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAjAOSZ7O8PLxbxUDW
tXDrwN7M/LhvLnNE4jtvKfTJeyLtEX9dOh9t9g0jYg7FbjY4/dbFnWKukfHPSQnc
dzSqHEpBvy0Ba756YZqkqUWubBoV04cGQcVnpbDWIMqQ2JOHFPnn9jJt/rSHOiMK
UXPUdp3e+Nx8jERGLIpK77kxovo=
-----END CERTIFICATE-----
subject=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
issuer=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
No client certificate CA names sent
---
SSL handshake has read 1224 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: EF2BF8D553C4A8A4D882D954893CF180E37C72B7B04C7BEC818D9FEDBB97E5C7
Session-ID-ctx:
Master-Key: C5C8FF976C495F7DC0675A215EC402EA58ACCF8E6EB2EC98C86B6DCAAEA5E97474BDBF20AC187400DE15ADC82EDB1B7D
Key-Arg : None
Krb5 Principal: None
Start Time: 1226347106
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---


2. Try to fetch a web page
---------------------------

GET ./index.html
HTTP/1.0 200 ok
Content-type: text/html

<HTML><BODY BGCOLOR="#ffffff">
<pre>

s_server -accept 443 -key server.key -cert server.crt -www
Ciphers supported in s_server binary
TLSv1/SSLv3:DHE-RSA-AES256-SHA TLSv1/SSLv3:DHE-DSS-AES256-SHA
TLSv1/SSLv3:AES256-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA TLSv1/SSLv3:DES-CBC3-SHA
SSLv2 :DES-CBC3-MD5 TLSv1/SSLv3:DHE-RSA-AES128-SHA
TLSv1/SSLv3:DHE-DSS-AES128-SHA TLSv1/SSLv3:AES128-SHA
SSLv2 :RC2-CBC-MD5 TLSv1/SSLv3:DHE-DSS-RC4-SHA
TLSv1/SSLv3:EXP-KRB5-RC4-MD5 TLSv1/SSLv3:EXP-KRB5-RC4-SHA
TLSv1/SSLv3:KRB5-RC4-MD5 TLSv1/SSLv3:KRB5-RC4-SHA
TLSv1/SSLv3:RC4-SHA TLSv1/SSLv3:RC4-MD5
SSLv2 :RC4-MD5 TLSv1/SSLv3:KRB5-DES-CBC3-MD5
TLSv1/SSLv3:KRB5-DES-CBC3-SHA SSLv2 :RC4-64-MD5
TLSv1/SSLv3:EXP1024-DHE-DSS-DES-CBC-SHATLSv1/SSLv3:EXP1024-DES-CBC-SHA
TLSv1/SSLv3:EXP1024-RC2-CBC-MD5 TLSv1/SSLv3:KRB5-DES-CBC-MD5
TLSv1/SSLv3:KRB5-DES-CBC-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA TLSv1/SSLv3:DES-CBC-SHA
SSLv2 :DES-CBC-MD5 TLSv1/SSLv3:EXP1024-DHE-DSS-RC4-SHA
TLSv1/SSLv3:EXP1024-RC4-SHA TLSv1/SSLv3:EXP1024-RC4-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-MD5 TLSv1/SSLv3:EXP-KRB5-DES-CBC-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-SHA TLSv1/SSLv3:EXP-KRB5-DES-CBC-SHA
TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA
TLSv1/SSLv3:EXP-DES-CBC-SHA TLSv1/SSLv3:EXP-RC2-CBC-MD5
SSLv2 :EXP-RC2-CBC-MD5 TLSv1/SSLv3:EXP-RC4-MD5
SSLv2 :EXP-RC4-MD5
---
Ciphers common between both SSL end points:
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA
EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA
DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA
DHE-DSS-RC4-SHA RC4-SHA RC4-MD5
EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-RC2-CBC-MD5
EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA EXP1024-RC4-SHA EXP1024-RC4-MD5
EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5 EXP-RC4-MD5
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: F2FB40B06A82941FCEF514CC116571F504946328B98259BC4C28D758EF8DC11E
Session-ID-ctx: 01000000
Master-Key: 7A6919114914352621366F014E62D61B806D8C9A624B8E2DD68E21B3727CF955917F923D058780D1BF82E614D444122D
Key-Arg : None
Krb5 Principal: None
Start Time: 1226346040
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
6 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
6 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
6 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
---
no client certificate available
</BODY></HTML>

read:errno=0




I get the same error again?
Could you suggest where i'm going wrong...

I just need the client to fetch a file from the server...


All times are GMT -5. The time now is 07:25 PM.