Forum Discussion
nitass_89166
Aug 20, 2014Noctilucent
openssl s_client -connect x.x.x.x:443 -key /config/filestore/files_d/www-qa_d/certificate_key_d/:test.key -cert /config/filestore/files_d/www-qa_d/certificate_d/:test.crt
are you doing client certificate authentication? if not, shouldn't it be CAfile option rather than cert and key?
e.g.
config
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.10:443
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
http { }
myclientssl {
context clientside
}
tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vs-index 65
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
app-service none
cert-key-chain {
server {
cert server.crt
chain chain.crt
key server.key
}
}
defaults-from clientssl
}
server certificate
[root@ve11a:Active:In Sync] certificate_d perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:server.crt_51362_1
---
subject= /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
issuer= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
intermediate certificate
[root@ve11a:Active:In Sync] certificate_d perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' \:Common\:chain.crt_33273_1
---
subject= /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
---
subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
test
[root@centos1 ~] perl -n0777e 'map { print "---\n"; open(CMD, "| openssl x509 -noout -subject -issuer");
> print CMD; close(CMD) } /^-----BEGIN.*?^-----END.*?\n/gsm' /root/newca/certs/ca.crt
---
subject= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
issuer= /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
[root@centos1 ~] openssl s_client -connect 172.28.24.10:443 -CAfile /root/newca/certs/ca.crt
CONNECTED(00000003)
depth=2 /C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
verify return:1
depth=1 /C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
verify return:1
depth=0 /C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
i:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
1 s:/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
2 s:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
i:/C=US/ST=WA/L=Seattle/O=Acme/OU=IT/CN=caroot.acme.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFmzCCA4OgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCV0ExDTALBgNVBAoTBEFjbWUxEDAOBgNVBAsTB1N1cHBvcnQxGDAW
BgNVBAMTD2NhMjAxMy5hY21lLmNvbTAeFw0xNDA4MjAxMDIzNTBaFw0xNTA4MjAx
MDIzNTBaMFAxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJXQTENMAsGA1UEChMEQWNt
ZTELMAkGA1UECxMCSVQxGDAWBgNVBAMTD3NlcnZlci5hY21lLmNvbTCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAOPRWmOQTeUW1PEpF1kUhaTBx0s6sT61
BYUhvkvWL751iL7ij1Sp8/SwyxeyWnvOMbLX1c7yeoWFZo1xOtuIyzXYBx8COYOq
xt550NspaAQIpdPZbGJFkpq3eK/q9mDdl+H88yI5L9EeCd5EDW+A3uKl+3yW/XXh
K14rKahFNmMwamMRl0m9uWLii/3ivfjnF7bU+u/3vhBt8IOvUDWVGBdUHHKf9KDx
7IVlw4X+Vx/ApeQraEv819TRvBdExepPvb+Nnn2jMqstmv7EA+VX5gll4xmvb8mV
vk5XmQmNFnaFS8BsHkPiXZsb/7V6a+99g5u04gGq/ydAIztpzxwcsezaOABlURqp
3w7dHUHg7tcSXLCSSltwryrYvcm5WguqIy0Mflw4/C8Y6KFYKetHAemoTSowj5wP
QWRRTOzfgfps4jstHZZssNpDvlbdwdxW3dFIBItrmHo70/47bKF1YeY/PFF3p0x+
3MGRJaiUt6iGGTRNlk4cgr/YDmvBJOeXrm8wjR1ASEHvg+0XuG/qbBtZNyDC5oCJ
Rx02qyvBwo55TZc/BEfb1U4rpnZPScwXnuexjN+fj2glxgF9nCMnZ9ZEL/CkECKI
2LNGvOHevT8rgtXTpRM2PSrzp1k0R3UB0eb/Hsw9nSxNjU6dFhoIXJ7oty8Dnjro
bIcA0LoutMCvAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9w
ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQ/8YYZxuAXV79i
y7ux9U6F3xWOujAfBgNVHSMEGDAWgBSCOznFhO68X2r1WREpmuBuEabGcTANBgkq
hkiG9w0BAQUFAAOCAgEA4LrE5RlXF6fNQKx4aVI3oioUXbpp/6FpnIBzT9y2r/Ei
m7zOOCysqdIqwEVjwlpd8/kw5/a/ympJ6Wt8A7CT4fTakYAEyEFhys4XjHdW074I
R+PR4wYPnWCs1ylq+vUX04UlIVmecVx5/7gqPCZ4wQyjwnzoHI+I+gbYc2IeWfRU
nfh4DEeD7PBjZb6zUKnT4PfpHhVwyA9LPOVLQqeTlHtBWZmFYGOTnuJ6kBBHOnDG
07qoxonue9oa1EGzBqDqYQx0PNHaQ3HEzj7UD2tdQ/FqVyu1xWxyGqZ0uVZUdIY0
tfvZA+Yv1rpimaRrMZgEkIouGOxdzNhrc5XleLsAPyLkCEez7YP1d2gKTH6Orl/H
+hCoFVGrxjEpaglo36ijvXpqhMxczX28QA8qUQZNgX+CSfCYEgTnNqcAp94m0DgB
JLAuSBUn0CV8af7dEInpcYMN7FaWYOG9WUmuYGmUNffLLhwLYXzcpo0Od/ATdvWZ
ORam3uhU/zNr3MENHNT+1dfLi7BLRQNjzo3HhMmcVCfKW9YBRU88rOXlPBBAc91r
svO7PkHtidRixb0vHJzOLOg4O44F2PPwMwL1eys2gzjKPHLZcPNQkWokE4Ipn6wS
AEzQqZ83uMOh122h2aJcHU7Y/s57gnBQBdy8yEyeoToxfL6sQkuQWmLCje/J+cY=
-----END CERTIFICATE-----
subject=/C=US/ST=WA/O=Acme/OU=IT/CN=server.acme.com
issuer=/C=US/ST=WA/O=Acme/OU=Support/CN=ca2013.acme.com
---
No client certificate CA names sent
---
SSL handshake has read 4703 bytes and written 703 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: 457BB7CC171B41B0E605CD1C37DF7B0F4A3530C8F0D9C9B5F190A8740F6865DC
Session-ID-ctx:
Master-Key: F15E99AF1F808310F917E9B4A90B46D37EB6D24C6371AD29CB7A3C44684EFFDFE0CC081742E81985F6EE771B18075093
Key-Arg : None
Krb5 Principal: None
Start Time: 1408530869
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
- nitass_89166Aug 20, 2014NoctilucentIn case ca certificate is not pre-defined in default openssl ca file.