<div dir="ltr">If you have the server's key and certificate, the command will be smth like<div><br><div>openssl s_server -key key -cert cert -CAfile file_with_ca -verify_return_error</div><div><br></div><div>file_with_ca should contain a concatenation of the certs of the CAs that should issue the client's certificate.<br><br>if you don't have the server keypair, try to understand smth from the command</div></div><div><br></div><div>openssl s_client -connect host:port -cert clicert -key clikey.<br><br>At least you'll hopefully see the list of allowed client certificate issuers.<br><br>Please read the manuals of s_client/s_server apps for more details.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 7, 2020 at 11:18 PM Bashin, Vladimir <<a href="mailto:vbashin@empirix.com">vbashin@empirix.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_4052558076245561727WordSection1">
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Thanks Dmitry!<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Do I need the server certificate in order to run those commands?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Also , could you please point me to the exact commands that I’d need to execute in order to reproduce the tls handshake ?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Regards,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">VB
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif"> Dmitry Belyavsky <<a href="mailto:beldmit@gmail.com" target="_blank">beldmit@gmail.com</a>>
<br>
<b>Sent:</b> Friday, February 7, 2020 3:07 PM<br>
<b>To:</b> Bashin, Vladimir <<a href="mailto:vbashin@empirix.com" target="_blank">vbashin@empirix.com</a>><br>
<b>Cc:</b> <a href="mailto:openssl-users@openssl.org" target="_blank">openssl-users@openssl.org</a><br>
<b>Subject:</b> Re: TLS 1.2 handshake issue (Server Certificate request)<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<p class="MsoNormal">Hello Vladimir,<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">It's worth trying to reproduce the situation using openssl s_client/s_server command-line apps. <u></u><u></u></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal">On Fri, Feb 7, 2020 at 9:25 PM Bashin, Vladimir <<a href="mailto:vbashin@empirix.com" target="_blank">vbashin@empirix.com</a>> wrote:<u></u><u></u></p>
</div>
<blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal">Hello, OpenSSL experts !<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">We need your help in better understanding a below behavior -
<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">We are experiencing issue during the initial TLS handshake :<u></u><u></u></p>
<p class="MsoNormal">We have the customer-issued TLS certificate that we deploy on our TLS client system
<u></u><u></u></p>
<p class="MsoNormal">The certs have been generated with a CSR that was generated on customer’s FIPS compliant server
<u></u><u></u></p>
<p class="MsoNormal">The CSR was then signed by CA hosted on SMGR
<u></u><u></u></p>
<p class="MsoNormal"><span style="color:rgb(31,73,125)"> </span><u></u><u></u></p>
<p class="MsoNormal">During the endpoint registration with the server we have an endpoint initiated TLS handshake – during that handshake the TLS server requests the client Certificate but our TLS client
responds with the Certificates Length 0 that causes the TLS server to respond with the Handshake Failure.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">The Google search gives some generic ideas on why that might be happening – something along the following lines - that could be happening in case the client’s certificate does not
match the server certificate – for example, due to a signing authority mismatch, or due to the encryption cipher type mismatch, or maybe due to some other factors.<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Could you please help us in better understanding this issue – what else could be wrong or missing in the Server and Client certificates ?<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"><img border="0" width="1181" height="735" style="width: 12.302in; height: 7.6562in;" id="gmail-m_4052558076245561727gmail-m_2449539613917354174Picture_x0020_1" src="cid:170214e5db54cff311"><u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Vladimir Bashin<u></u><u></u></p>
<p class="MsoNormal"> <u></u><u></u></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <u></u><u></u></p>
<div>
<p class="MsoNormal">SY, Dmitry Belyavsky<u></u><u></u></p>
</div>
</div>
</div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">SY, Dmitry Belyavsky</div>