issues with OpenSSL 1.1.1n

Ray Crumrine hraycrum at hotmail.com
Tue Nov 1 23:08:10 UTC 2022 

Oh my gosh! Thank you. I am a newbie when it comes to certificates. I am 
only using tls for outbound calls. I thought I shouldn't need a 
certificate when doing outbound only [a client] but was getting some 
weird error. After I read your email I simply commented out both 
"certificate" lines in my configuration and it works!!!

One last question. I don't need certbot at all then, right?

Thanks again,
Ray

Viktor Dukhovni wrote:
 > On Tue, Nov 01, 2022 at 05:55:08AM -0500, Ray Crumrine wrote:
 >
 >> SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151573> <SSL
 >> routines-ssl3_read_bytes-sslv3 alert certificate expired>
 > Is this logged by the TLS client or server?  In other words are you
 > running a client application making outgoing connections or a server
 > application receiving incoming connections?
 >
 >> but not all of the time. Only when I try to access
 >> us-east-va.sip.flowroute using tlsv1.2.
 > This sounds like "client".  TLS alerts are sent by the other end of the
 > connection, so if you're getting "certificate expired" alerts from a
 > server, that means that your client is *sending* an expired certificate
 > to the server (which must have solicited, possibly optional, client
 > certificates).  The server in question does send certificate requests:
 >
 >     Transport Layer Security
 >         TLSv1.2 Record Layer: Handshake Protocol: Certificate Request 
(fragment)
 >             Content Type: Handshake (22)
 >             Version: TLS 1.2 (0x0303)
 >             Length: 16384
 >             Handshake Protocol: Certificate Request (fragment)
 >     ...
 >
 >> I have tried two other sites using the same configuration and they work
 >> fine. Is there a simple configuration change or do I need Openssl v3.0?
 > The other sites presumably don't solicit client certificates.  The
 > simplest choice is to not configure a client certificate unless you're
 > sure you're going to need one.
 >
 >> Checking with
 >> https://decoder.link/sslchecker/us-east-va.sip.flowroute.com/5061
 >> everything checks fine???
 > The probe does not send expired client certs.
 >

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20221101/0abadfd8/attachment.htm>

More information about the openssl-users mailing list