<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
On 04/12/17 09:10, <a class="moz-txt-link-abbreviated" href="mailto:wizard2010@gmail.com">wizard2010@gmail.com</a> wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAEAeT_i0wHff-=hyS5BsSyAY-0hwN+0cXzDzSz2R1PemShf=4Q@mail.gmail.com">
<div dir="ltr">Hi ,
<div><br>
</div>
<div>Please see in attach the files that I'm using.</div>
</div>
</blockquote>
<br>
I've just taken a look at your certificates and they've not been
generated correctly:<br>
<br>
$ openssl x509 -subject -issuer -noout -in ca.crt -dates -serial<br>
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd<br>
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd<br>
notBefore=Nov 27 11:52:34 2017 GMT<br>
notAfter=Nov 27 11:52:34 2018 GMT<br>
serial=A1E0F7319AAD90C0<br>
<br>
$ openssl x509 -subject -issuer -noout -in client.crt -dates -serial<br>
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd<br>
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd<br>
notBefore=Nov 27 11:53:16 2017 GMT<br>
notAfter=Nov 27 11:53:16 2018 GMT<br>
serial=01<br>
<br>
$ openssl x509 -subject -issuer -noout -in server.crt -dates -serial<br>
subject= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd<br>
issuer= /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd<br>
notBefore=Nov 27 11:52:55 2017 GMT<br>
notAfter=Nov 27 11:52:55 2018 GMT<br>
serial=01<br>
<br>
<br>
that is, the subject and issuer of the CA, server and client certs
are all the same ; also, the serial number of both client and server
certificates are the same. <br>
You will need to alter the way you generate your certificates so
that there is a clear distinction between CA, server and client
cert.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
<br>
<blockquote type="cite"
cite="mid:CAEAeT_i0wHff-=hyS5BsSyAY-0hwN+0cXzDzSz2R1PemShf=4Q@mail.gmail.com">
<div dir="ltr">
<div>I generate the certificates with the following commands:</div>
<div><br>
</div>
<div>
<ol class="gmail-bash"
style="color:rgb(172,172,172);background:rgb(247,247,247);margin:0px;padding:0px
0px 0px 55px;font-family:Consolas,Menlo,Monaco,"Lucida
Console","Liberation Mono","DejaVu Sans
Mono","Bitstream Vera Sans
Mono",monospace,serif;font-size:12px">
<li class="gmail-li1" style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid rgb(221,221,221);background:rgb(248,248,248)"><span
class="gmail-co0"
style="color:rgb(102,102,102);font-style:italic">##
Create CA</span></div>
</li>
<li class="gmail-li1" style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
genrsa <span class="gmail-re5"
style="color:rgb(102,0,51)">-out</span> ca.key <span
class="gmail-nu0" style="color:rgb(0,0,0)">4096</span></div>
</li>
<li class="gmail-li1" style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
req <span class="gmail-re5" style="color:rgb(102,0,51)">-new</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-x509</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-days</span> <span
class="gmail-nu0" style="color:rgb(0,0,0)">365</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-key</span> ca.key <span
class="gmail-re5" style="color:rgb(102,0,51)">-out</span> ca.crt</div>
</li>
<li class="gmail-li2" style="background:rgb(255,255,255)">
<div class="gmail-de2" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
x509 <span class="gmail-re5" style="color:rgb(102,0,51)">-in</span> ca.crt <span
class="gmail-re5" style="color:rgb(102,0,51)">-out</span> ca.pem <span
class="gmail-re5" style="color:rgb(102,0,51)">-outform</span> PEM</div>
</li>
<li class="gmail-li2" style="background:rgb(255,255,255)">
<div class="gmail-de2" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><br>
</div>
</li>
</ol>
<div>
<ol class="gmail-bash"
style="color:rgb(172,172,172);background:rgb(247,247,247);margin:0px;padding:0px
0px 0px
55px;font-family:Consolas,Menlo,Monaco,"Lucida
Console","Liberation Mono","DejaVu
Sans Mono","Bitstream Vera Sans
Mono",monospace,serif;font-size:12px">
<li class="gmail-li1" style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid rgb(221,221,221);background:rgb(248,248,248)"><span
class="gmail-co0"
style="color:rgb(102,102,102);font-style:italic">##
Create the Server Key and CSR</span></div>
</li>
<li class="gmail-li1" style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
genrsa <span class="gmail-re5"
style="color:rgb(102,0,51)">-out</span> server.key <span
class="gmail-nu0" style="color:rgb(0,0,0)">4096</span></div>
</li>
<li class="gmail-li1" style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
req <span class="gmail-re5"
style="color:rgb(102,0,51)">-new</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-key</span> server.key <span
class="gmail-re5" style="color:rgb(102,0,51)">-out</span> server.csr</div>
</li>
<li class="gmail-li2" style="background:rgb(255,255,255)">
<div class="gmail-de2" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
x509 <span class="gmail-re5"
style="color:rgb(102,0,51)">-req</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-days</span> <span
class="gmail-nu0" style="color:rgb(0,0,0)">365</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-in</span> server.csr <span
class="gmail-re5" style="color:rgb(102,0,51)">-CA</span> ca.crt <span
class="gmail-re5" style="color:rgb(102,0,51)">-CAkey</span> ca.key
-set_serial 01 <span class="gmail-re5"
style="color:rgb(102,0,51)">-out</span> server.crt</div>
</li>
<li class="gmail-li2" style="background:rgb(255,255,255)">
<div class="gmail-de2" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span
style="background-color:rgb(248,248,248)">openssl
x509 </span><span class="gmail-re5"
style="color:rgb(102,0,51)">-in</span><span
style="background-color:rgb(248,248,248)"> server.crt </span><span
class="gmail-re5" style="color:rgb(102,0,51)">-out</span><span
style="background-color:rgb(248,248,248)"> server.pem </span><span
class="gmail-re5" style="color:rgb(102,0,51)">-outform</span><span
style="background-color:rgb(248,248,248)"> PEM</span><br>
</div>
</li>
<li class="gmail-li2" style="background:rgb(255,255,255)">
<div class="gmail-de2" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span
style="background-color:rgb(248,248,248)"><br>
</span></div>
</li>
</ol>
<div>
<ol class="gmail-bash"
style="color:rgb(172,172,172);background:rgb(247,247,247);margin:0px;padding:0px
0px 0px
55px;font-family:Consolas,Menlo,Monaco,"Lucida
Console","Liberation Mono","DejaVu
Sans Mono","Bitstream Vera Sans
Mono",monospace,serif;font-size:12px">
<li class="gmail-li1"
style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid rgb(221,221,221);background:rgb(248,248,248)"><span
class="gmail-co0"
style="color:rgb(102,102,102);font-style:italic">##
Create the Client Key and CSR</span></div>
</li>
<li class="gmail-li1"
style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
genrsa <span class="gmail-re5"
style="color:rgb(102,0,51)">-out</span> client.key <span
class="gmail-nu0" style="color:rgb(0,0,0)">4096</span></div>
</li>
<li class="gmail-li1"
style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
req <span class="gmail-re5"
style="color:rgb(102,0,51)">-new</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-key</span> client.key <span
class="gmail-re5" style="color:rgb(102,0,51)">-out</span> client.csr</div>
</li>
<li class="gmail-li1"
style="background:rgb(255,255,255)">
<div class="gmail-de1" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
x509 <span class="gmail-re5"
style="color:rgb(102,0,51)">-req</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-days</span> <span
class="gmail-nu0" style="color:rgb(0,0,0)">365</span> <span
class="gmail-re5" style="color:rgb(102,0,51)">-in</span> client.csr <span
class="gmail-re5" style="color:rgb(102,0,51)">-CA</span> ca.crt <span
class="gmail-re5" style="color:rgb(102,0,51)">-CAkey</span> ca.key
-set_serial 01 <span class="gmail-re5"
style="color:rgb(102,0,51)">-out</span> client.crt</div>
</li>
<li class="gmail-li2"
style="background:rgb(255,255,255)">
<div class="gmail-de2" style="padding:0px
8px;vertical-align:top;color:rgb(51,51,51);border-left:1px
solid
rgb(221,221,221);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">openssl
x509 <span class="gmail-re5"
style="color:rgb(102,0,51)">-in</span> client.crt <span
class="gmail-re5" style="color:rgb(102,0,51)">-out</span> client.pem <span
class="gmail-re5" style="color:rgb(102,0,51)">-outform</span> PEM</div>
</li>
</ol>
</div>
</div>
</div>
<div><font color="#333333" face="Consolas, Menlo, Monaco, Lucida
Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera
Sans Mono, monospace, serif"><span style="font-size:12px"><br>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco, Lucida
Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera
Sans Mono, monospace, serif"><span style="font-size:12px">I
left the default value of each question that openssl ask
when it's creating the certificates like Country, City,
CN, etc. Like this way:</span></font></div>
<blockquote style="margin:0 0 0 40px;border:none;padding:0px">
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">openssl req -new
-key server.key -out server.csr</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">You are about to be
asked to enter information that will be incorporated</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">into your
certificate request.</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">What you are about
to enter is what is called a Distinguished Name or a
DN.</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">There are quite a
few fields but you can leave some blank</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">For some fields
there will be a default value,</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">If you enter '.',
the field will be left blank.</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">-----</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Country Name (2
letter code) [AU]:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">State or Province
Name (full name) [Some-State]:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Locality Name (eg,
city) []:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Organization Name
(eg, company) [Internet Widgits Pty Ltd]:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Organizational Unit
Name (eg, section) []:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Common Name (e.g.
server FQDN or YOUR name) []:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Email Address []:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Please enter the
following 'extra' attributes</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">to be sent with
your certificate request</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">A challenge
password []:</blockquote>
</span></font></div>
<div><font color="#333333" face="Consolas, Menlo, Monaco,
Lucida Console, Liberation Mono, DejaVu Sans Mono,
Bitstream Vera Sans Mono, monospace, serif"><span
style="font-size:12px">
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">An optional company
name []:</blockquote>
</span></font></div>
</blockquote>
<div><font color="#333333" face="Consolas, Menlo, Monaco, Lucida
Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera
Sans Mono, monospace, serif"><span style="font-size:12px">
<div> </div>
<div>Thanks.</div>
<div>Kind regards.</div>
<div><br>
</div>
</span></font></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 30, 2017 at 2:45 PM, Jan
Just Keijser <span dir="ltr"><<a
href="mailto:janjust@nikhef.nl" target="_blank"
moz-do-not-send="true">janjust@nikhef.nl</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div class="m_-6643648392479011571moz-cite-prefix">Hi,<span
class=""><br>
<br>
On 29/11/17 14:37, <a
class="m_-6643648392479011571moz-txt-link-abbreviated"
href="mailto:wizard2010@gmail.com" target="_blank"
moz-do-not-send="true">wizard2010@gmail.com</a>
wrote:<br>
</span></div>
<span class="">
<blockquote type="cite">
<div dir="ltr">Hi JJK,
<div><br>
</div>
<div>I test you function and I've got this result:</div>
<div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">ok = 0<br>
cert DN: /C=AU/ST=Some-State/O=Internet Widgits
Pty Ltd<br>
ok = 1<br>
cert DN: /C=AU/ST=Some-State/O=Internet Widgits
Pty Ltd</blockquote>
</div>
<div><br>
</div>
<div>Why I see this 2 time?</div>
<div>When I create the certificates I didn't fill
with any special information, just type enter in
every question that is made. Did you think this
could cause this issue?</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</span> what you should have seen is the certificate
stack, starting with the CA, and then the client cert,
e.g.<br>
<br>
Connection accept...<br>
ok = 1<br>
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 <a
class="m_-6643648392479011571moz-txt-link-abbreviated"
href="mailto:CA/emailAddress=openvpn@example.com"
target="_blank" moz-do-not-send="true">CA/emailAddress=openvpn@<wbr>example.com</a><br>
ok = 1<br>
cert DN: /C=US/O=Cookbook 2.4/CN=client1<br>
<br>
<br>
so I suspect that your ca.crt on the server side is not
specified correctly. <br>
You may also send me your ca.crt, server.{crt,key} and
client.{crt,key} files privately, and I will run the same
test using your set of certificates.<br>
<br>
HTH,<br>
<br>
JJK
<div>
<div class="h5"><br>
<br>
<br>
<blockquote type="cite">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Nov 29, 2017 at
8:56 AM, Jan Just Keijser <span dir="ltr"><<a
href="mailto:janjust@nikhef.nl"
target="_blank" moz-do-not-send="true">janjust@nikhef.nl</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div
class="m_-6643648392479011571m_-2945823362963703202moz-cite-prefix">Hi,<span><br>
<br>
On 28/11/17 11:03, <a
class="m_-6643648392479011571m_-2945823362963703202moz-txt-link-abbreviated"
href="mailto:wizard2010@gmail.com"
target="_blank" moz-do-not-send="true">wizard2010@gmail.com</a>
wrote:<br>
</span></div>
<blockquote type="cite">
<div dir="ltr">Hi there.
<div><br>
</div>
<span>
<div>I guess my problem is really
related to <span
style="font-size:12.8px">verify
callback on SSL_CTX_set_verify
function.</span></div>
<div><span style="font-size:12.8px">I
just add to my code a dummy
callback returning 1 and
everything works properly.</span><span
style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px"><br>
</span></div>
<div>
<blockquote style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"
class="gmail_quote"><span
style="font-size:12.8px"><br>
</span><span
style="font-size:12.8px">int
verify_callback (int ok,
X509_STORE_CTX *ctx);</span><br>
<span style="font-size:12.8px">int
verify_callback (int ok,
X509_STORE_CTX *ctx)<br>
</span><span
style="font-size:12.8px">{<br>
</span><span
style="font-size:12.8px">
printf("Verification callback
OK!\n");<br>
</span><span
style="font-size:12.8px">
return 1;<br>
</span><span
style="font-size:12.8px">}</span><span
style="font-size:12.8px"><br>
</span>...<br>
<span style="font-size:12.8px">SSL_CTX_set_verify(ssl_server_<wbr>ctx,
SSL_VERIFY_PEER |
SSL_VERIFY_FAIL_IF_NO_PEER_CER<wbr>T,
dtls_verify_callback);<br>
</span>...</blockquote>
</div>
<div style="font-size:12.8px"><br>
</div>
<div>The problem is that error don't
tell much information about what's
really going on or what's really
missing.</div>
<div>Thanks for your help.</div>
<div><br>
</div>
</span></div>
</blockquote>
Now you've effectively disabled all security
:)<br>
<br>
Try adding this to the verify_callback<br>
<br>
<br>
static int verify_callback(int ok,
X509_STORE_CTX *ctx)<br>
{<br>
X509 *cert = NULL;<br>
char *cert_DN = NULL;<br>
<br>
printf("ok = %d\n", ok);<br>
cert = X509_STORE_CTX_get_current_cer<wbr>t(ctx);<br>
cert_DN = X509_NAME_oneline(
X509_get_subject_name( cert ), NULL, 0 ); <br>
printf( "cert DN: %s\n", cert_DN);<br>
<br>
} <br>
<br>
<br>
that way, you will know whether your server
is processing the right certificate chain.<br>
<br>
HTH,<br>
<br>
JJK<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<p><br>
</p>
</body>
</html>