[openssl-users] MTLS verification fails
openssl-users at dukhovni.org
Mon Mar 5 06:21:01 UTC 2018
> On Mar 5, 2018, at 12:58 AM, salil GK <gksalil at gmail.com> wrote:
> openssl s_client -cert tomcat.pem -key tomcat_priv.pem -CAfile ca.pem -connect lrc1.cisco.com:8446
> #$ openssl s_server -key privkey.pem -cert server.pem -accept 8446 -verify ca.pem
> verify depth is 0
> Using default temp DH parameters
> depth=2 O = Cisco Systems, CN = trca-4096-sha2
> verify error:num=19:self signed certificate in certificate chain
> verify error:self signed certificate in certificate chain
> 140011871301248:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3427:
> shutting down SSL
> CONNECTION CLOSED
> What is the meaning of this error and how do I correct this - ?
You have not specified a "-CAfile" or "-CApath" option telling "s_server" where to
look for the "O = Cisco Systems, CN = trca-4096-sha2" trusted issuer CA certificate.
You've also incorrectly specified the "-verify" option, which certainly
does not help.
-verify depth, -Verify depth
The verify depth to use. This specifies the maximum length of the
client certificate chain and makes the server request a certificate
from the client. With the -verify option a certificate is requested
but the client does not have to send one, with the -Verify option
the client must supply a certificate or an error occurs.
If the ciphersuite cannot request a client certificate (for example
an anonymous ciphersuite or PSK) this option has no effect.
More information about the openssl-users