LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-10-2008, 04:53 AM   #1
lokesh_c2004
LQ Newbie
 
Registered: Nov 2008
Posts: 5

Rep: Reputation: 0
Server and Client process using Openssl: Error: no client certificate available


Hi,

I have to setup a https connection between two machines (from command line).
I tried to use openssl command as per the below example,
(Please follows the steps 1,2,3,4. Sorry for the lengthy post...)

Server:
========
1. Create a Private CA
------------------------

Change to working directory
$ cd ~/certs
Create a directory structure for openssl to store some stuff in. This may require updating the configuration in /usr/share/ssl/openssl.cnf.
$ mkdir -p DPSI-CA/certs
$ mkdir -p DPSI-CA/crl
$ mkdir -p DPSI-CA/newcerts
$ mkdir -p DPSI-CA/private
$ touch DPSI-CA/index.txt
$ touch DPSI-CA/private/.rand
$ echo 01 >DPSI-CA/serial
Create the self-signed key and cert
$ openssl req -new -x509 -keyout DPSIkey.pem -out DPSIcert.pem -days 3650
Use a good passphrase when prompted for one.
Use reasonable values for the remaining questions
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]PSI
Organizational Unit Name (eg, section) []:Systems
Common Name (eg, your name or your server's hostname) []:dpsi-corp.com
Email Address []:
The new CA private key will be in DPSIkey.pem. The public key is in DPSIcert.pem

2. Finally start the https server:
----------------------------------
openssl s_server -accept 443 -key server.pem -cert DPSIcert.pem -www
Enter pass phrase for server.pem:
Using default temp DH parameters
ACCEPT


Client:
========
3. Start a client process:
--------------------------
openssl s_client -connect 10.232.228.16:443

CONNECTED(00000003)
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify return:1
---
Certificate chain
0 s:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
i:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIJAL4J0PJSnjfhMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
BAYTAmluMRIwEAYDVQQIEwlrYXJuYXRha2ExEjAQBgNVBAcTCWJhbmdhbG9yZTER
MA8GA1UEChMIbW90b3JvbGExDDAKBgNVBAsTA2hubTEMMAoGA1UEAxMDbW1lMB4X
DTA4MTEwODE1MjU1M1oXDTE4MTEwNjE1MjU1M1owZDELMAkGA1UEBhMCaW4xEjAQ
BgNVBAgTCWthcm5hdGFrYTESMBAGA1UEBxMJYmFuZ2Fsb3JlMREwDwYDVQQKEwht
b3Rvcm9sYTEMMAoGA1UECxMDaG5tMQwwCgYDVQQDEwNtbWUwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAOdYjsP9c68EOIOhxpSXOFtuVgDKZ7rWwrimbNHf/0PP
ymo+jbyj7bCWtXE3di36iCSzKySr9FlQDoPze2TG63RiuxsJ+sj4bVIvTlVgxIpJ
OsV3zYB01EgoHRsag5qqcuVJ8aPfyK6jyz38vYMeLYKdauV5Q8IhY7n1lqyp/Xld
AgMBAAGjgckwgcYwHQYDVR0OBBYEFMqlYhVvKuTvDUc23WhuAcZKJXNKMIGWBgNV
HSMEgY4wgYuAFMqlYhVvKuTvDUc23WhuAcZKJXNKoWikZjBkMQswCQYDVQQGEwJp
bjESMBAGA1UECBMJa2FybmF0YWthMRIwEAYDVQQHEwliYW5nYWxvcmUxETAPBgNV
BAoTCG1vdG9yb2xhMQwwCgYDVQQLEwNobm0xDDAKBgNVBAMTA21tZYIJAL4J0PJS
njfhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAg69t5UxBsTgS+1aD
xwTGJXJp6qjqSkNKEaA3ccVUWCDMVxwyF2g5itC9K8HBr606Ebp5QJvMFJmUn8mX
EiEJ2JtvqNAcCItSosW4bqXbpAJv2FDIk9y8qI17QJHTVEWxX7okgjGxggmTKU4+
RDTd6BygKpFUWTJsMHAVhXr3IQE=
-----END CERTIFICATE-----
subject=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
issuer=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
No client certificate CA names sent
---
SSL handshake has read 1224 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: C1B1CEA206A7F1B319A2BE3E2EC66D5DD283935F4571C97F2E0D5882D9D539A4
Session-ID-ctx:
Master-Key: E806F1FD034FD9929D546518D76AEE9F2F1E87978865061B42C954EED7C81C96ACD4497B90F6B16B475A8082893358EF
Key-Arg : None
Krb5 Principal: None
Start Time: 1226334026
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---



4. Now try to fetch a webpage:
-------------------------------

GET index.html
HTTP/1.0 200 ok
Content-type: text/html

<HTML><BODY BGCOLOR="#ffffff">
<pre>

s_server -accept 443 -key server.pem -cert DPSIcert.pem -www
Ciphers supported in s_server binary
TLSv1/SSLv3HE-RSA-AES256-SHA TLSv1/SSLv3HE-DSS-AES256-SHA
TLSv1/SSLv3:AES256-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA TLSv1/SSLv3ES-CBC3-SHA
SSLv2 ES-CBC3-MD5 TLSv1/SSLv3HE-RSA-AES128-SHA
TLSv1/SSLv3HE-DSS-AES128-SHA TLSv1/SSLv3:AES128-SHA
SSLv2 :RC2-CBC-MD5 TLSv1/SSLv3HE-DSS-RC4-SHA
TLSv1/SSLv3:EXP-KRB5-RC4-MD5 TLSv1/SSLv3:EXP-KRB5-RC4-SHA
TLSv1/SSLv3:KRB5-RC4-MD5 TLSv1/SSLv3:KRB5-RC4-SHA
TLSv1/SSLv3:RC4-SHA TLSv1/SSLv3:RC4-MD5
SSLv2 :RC4-MD5 TLSv1/SSLv3:KRB5-DES-CBC3-MD5
TLSv1/SSLv3:KRB5-DES-CBC3-SHA SSLv2 :RC4-64-MD5
TLSv1/SSLv3:EXP1024-DHE-DSS-DES-CBC-SHATLSv1/SSLv3:EXP1024-DES-CBC-SHA
TLSv1/SSLv3:EXP1024-RC2-CBC-MD5 TLSv1/SSLv3:KRB5-DES-CBC-MD5
TLSv1/SSLv3:KRB5-DES-CBC-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA TLSv1/SSLv3ES-CBC-SHA
SSLv2 ES-CBC-MD5 TLSv1/SSLv3:EXP1024-DHE-DSS-RC4-SHA
TLSv1/SSLv3:EXP1024-RC4-SHA TLSv1/SSLv3:EXP1024-RC4-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-MD5 TLSv1/SSLv3:EXP-KRB5-DES-CBC-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-SHA TLSv1/SSLv3:EXP-KRB5-DES-CBC-SHA
TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA
TLSv1/SSLv3:EXP-DES-CBC-SHA TLSv1/SSLv3:EXP-RC2-CBC-MD5
SSLv2 :EXP-RC2-CBC-MD5 TLSv1/SSLv3:EXP-RC4-MD5
SSLv2 :EXP-RC4-MD5
---
Ciphers common between both SSL end points:
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA
EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA
DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA
DHE-DSS-RC4-SHA RC4-SHA RC4-MD5
EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-RC2-CBC-MD5
EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA EXP1024-RC4-SHA EXP1024-RC4-MD5
EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5 EXP-RC4-MD5
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: C1B1CEA206A7F1B319A2BE3E2EC66D5DD283935F4571C97F2E0D5882D9D539A4
Session-ID-ctx: 01000000
Master-Key: E806F1FD034FD9929D546518D76AEE9F2F1E87978865061B42C954EED7C81C96ACD4497B90F6B16B475A8082893358EF
Key-Arg : None
Krb5 Principal: None
Start Time: 1226332902
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
1 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
1 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
1 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
---
no client certificate available
</BODY></HTML>

read:errno=0




So finally, i'm struct here trying to figure out what is wrong...
Could anybody help me on this...
Thanks in advance,
Lokesh.C
 
Old 11-10-2008, 08:12 AM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
It didn't send a client certificate because you didn't tell it to.
http://www.openssl.org/docs/apps/s_client.html
 
Old 11-10-2008, 08:30 AM   #3
lokesh_c2004
LQ Newbie
 
Registered: Nov 2008
Posts: 5

Original Poster
Rep: Reputation: 0
Now i tried as follows,

1. Connect to the Server:
-------------------------
openssl s_client -connect 10.232.228.16:443 -cert client.crt -key client.key

CONNECTED(00000003)
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
verify return:1
---
Certificate chain
0 s:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
i:/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDEDCCAnmgAwIBAgIJANTGhHNntB6BMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV
BAYTAmluMRIwEAYDVQQIEwlrYXJuYXRha2ExEjAQBgNVBAcTCWJhbmdhbG9yZTER
MA8GA1UEChMIbW90b3JvbGExDDAKBgNVBAsTA2hubTEMMAoGA1UEAxMDbW1lMB4X
DTA4MTExMDE4MzU0NloXDTEzMTEwOTE4MzU0NlowZDELMAkGA1UEBhMCaW4xEjAQ
BgNVBAgTCWthcm5hdGFrYTESMBAGA1UEBxMJYmFuZ2Fsb3JlMREwDwYDVQQKEwht
b3Rvcm9sYTEMMAoGA1UECxMDaG5tMQwwCgYDVQQDEwNtbWUwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAO1QqL7NoXAHTyOyFEaCi0WCMxsauHrCaytXEzBqDSp6
up2vj8T2c96hHF4ag3hWCVY56iUcNlrBn1qjPox54gyKORk862fFicqWQNxb/9+K
WbhXOr9B0U7FmB8G75KMXlwrXPkjZAj+A2P7CvittSCSTMle9ruAx2TIkj0MA9ZP
AgMBAAGjgckwgcYwHQYDVR0OBBYEFAOidCKSBG4ZW0f/tCLV1uPCI/6CMIGWBgNV
HSMEgY4wgYuAFAOidCKSBG4ZW0f/tCLV1uPCI/6CoWikZjBkMQswCQYDVQQGEwJp
bjESMBAGA1UECBMJa2FybmF0YWthMRIwEAYDVQQHEwliYW5nYWxvcmUxETAPBgNV
BAoTCG1vdG9yb2xhMQwwCgYDVQQLEwNobm0xDDAKBgNVBAMTA21tZYIJANTGhHNn
tB6BMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAjAOSZ7O8PLxbxUDW
tXDrwN7M/LhvLnNE4jtvKfTJeyLtEX9dOh9t9g0jYg7FbjY4/dbFnWKukfHPSQnc
dzSqHEpBvy0Ba756YZqkqUWubBoV04cGQcVnpbDWIMqQ2JOHFPnn9jJt/rSHOiMK
UXPUdp3e+Nx8jERGLIpK77kxovo=
-----END CERTIFICATE-----
subject=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
issuer=/C=in/ST=karnataka/L=bangalore/O=motorola/OU=hnm/CN=mme
---
No client certificate CA names sent
---
SSL handshake has read 1224 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: EF2BF8D553C4A8A4D882D954893CF180E37C72B7B04C7BEC818D9FEDBB97E5C7
Session-ID-ctx:
Master-Key: C5C8FF976C495F7DC0675A215EC402EA58ACCF8E6EB2EC98C86B6DCAAEA5E97474BDBF20AC187400DE15ADC82EDB1B7D
Key-Arg : None
Krb5 Principal: None
Start Time: 1226347106
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---


2. Try to fetch a web page
---------------------------

GET ./index.html
HTTP/1.0 200 ok
Content-type: text/html

<HTML><BODY BGCOLOR="#ffffff">
<pre>

s_server -accept 443 -key server.key -cert server.crt -www
Ciphers supported in s_server binary
TLSv1/SSLv3HE-RSA-AES256-SHA TLSv1/SSLv3HE-DSS-AES256-SHA
TLSv1/SSLv3:AES256-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC3-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC3-SHA TLSv1/SSLv3ES-CBC3-SHA
SSLv2 ES-CBC3-MD5 TLSv1/SSLv3HE-RSA-AES128-SHA
TLSv1/SSLv3HE-DSS-AES128-SHA TLSv1/SSLv3:AES128-SHA
SSLv2 :RC2-CBC-MD5 TLSv1/SSLv3HE-DSS-RC4-SHA
TLSv1/SSLv3:EXP-KRB5-RC4-MD5 TLSv1/SSLv3:EXP-KRB5-RC4-SHA
TLSv1/SSLv3:KRB5-RC4-MD5 TLSv1/SSLv3:KRB5-RC4-SHA
TLSv1/SSLv3:RC4-SHA TLSv1/SSLv3:RC4-MD5
SSLv2 :RC4-MD5 TLSv1/SSLv3:KRB5-DES-CBC3-MD5
TLSv1/SSLv3:KRB5-DES-CBC3-SHA SSLv2 :RC4-64-MD5
TLSv1/SSLv3:EXP1024-DHE-DSS-DES-CBC-SHATLSv1/SSLv3:EXP1024-DES-CBC-SHA
TLSv1/SSLv3:EXP1024-RC2-CBC-MD5 TLSv1/SSLv3:KRB5-DES-CBC-MD5
TLSv1/SSLv3:KRB5-DES-CBC-SHA TLSv1/SSLv3:EDH-RSA-DES-CBC-SHA
TLSv1/SSLv3:EDH-DSS-DES-CBC-SHA TLSv1/SSLv3ES-CBC-SHA
SSLv2 ES-CBC-MD5 TLSv1/SSLv3:EXP1024-DHE-DSS-RC4-SHA
TLSv1/SSLv3:EXP1024-RC4-SHA TLSv1/SSLv3:EXP1024-RC4-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-MD5 TLSv1/SSLv3:EXP-KRB5-DES-CBC-MD5
TLSv1/SSLv3:EXP-KRB5-RC2-CBC-SHA TLSv1/SSLv3:EXP-KRB5-DES-CBC-SHA
TLSv1/SSLv3:EXP-EDH-RSA-DES-CBC-SHA TLSv1/SSLv3:EXP-EDH-DSS-DES-CBC-SHA
TLSv1/SSLv3:EXP-DES-CBC-SHA TLSv1/SSLv3:EXP-RC2-CBC-MD5
SSLv2 :EXP-RC2-CBC-MD5 TLSv1/SSLv3:EXP-RC4-MD5
SSLv2 :EXP-RC4-MD5
---
Ciphers common between both SSL end points:
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA
EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA
DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA
DHE-DSS-RC4-SHA RC4-SHA RC4-MD5
EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-RC2-CBC-MD5
EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA EXP1024-RC4-SHA EXP1024-RC4-MD5
EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5 EXP-RC4-MD5
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: F2FB40B06A82941FCEF514CC116571F504946328B98259BC4C28D758EF8DC11E
Session-ID-ctx: 01000000
Master-Key: 7A6919114914352621366F014E62D61B806D8C9A624B8E2DD68E21B3727CF955917F923D058780D1BF82E614D444122D
Key-Arg : None
Krb5 Principal: None
Start Time: 1226346040
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
6 items in the session cache
0 client connects (SSL_connect())
0 client renegotiates (SSL_connect())
0 client connects that finished
6 server accepts (SSL_accept())
0 server renegotiates (SSL_accept())
6 server accepts that finished
0 session cache hits
0 session cache misses
0 session cache timeouts
0 callback cache hits
0 cache full overflows (128 allowed)
---
no client certificate available
</BODY></HTML>

read:errno=0




I get the same error again?
Could you suggest where i'm going wrong...

I just need the client to fetch a file from the server...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Having problem in installing openssl server certificate makkays Linux - Security 2 01-05-2007 10:20 AM
ssl using server and client certificate. Which key used for encryption? lievendp Linux - Security 2 12-07-2006 06:22 AM
Can I retrieve certificate expiry date from an openssl certificate (command line) davee Linux - Security 1 07-21-2006 10:28 AM
Error in openVPN client GUI about openssl sailershen Linux - Security 1 01-26-2006 07:24 PM
simple backup process using server/client technology debloxie Linux - Networking 11 10-24-2005 02:58 PM


All times are GMT -5. The time now is 11:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration