![]() Client Certificate Types: RSA sign, DSA sign.Then comes the client certificate types the server will accept O = COLIN, OU = TEST, CN = COLIN4Certification AuthorityĬ = GB, O = SSS, OU = CA, CN = SSCARSA1024Īny client certificate must be signed by one of those CAs (or self signed certificates). Next comes the list of Certificate Authority or self signed certificate in the keyring Acceptable client certificate CA names Issuer=O = COLIN, OU = TEST, CN = COLIN4Certification Authority The server certificate comes next -BEGIN CERTIFICATE-įollowed by the identity of the server subject=O = SERVER, OU = SSS, CN = ZZZZ the certificate COLIN4Certificate Authority was self signed.the certificate SERVER was signed by COLIN4.Certificate Authority. ![]() I:O = COLIN, OU = TEST, CN = COLIN4Certification Authorityġ s:O = COLIN, OU = TEST, CN = COLIN4Certification Authority See below for a discussion about the error. SSL routines:ssl3_read_bytes:tlsv1 alert internal error./ssl/record/rec_layer_s3.c:1528:SSL alert number 80 Note: it is at the top of the output – not the bottom as I expected. Verify error:num=19:self signed certificate in certificate chainįollowing this was an error message. The stderr output included depth=1 O = COLIN, OU = TEST, CN = COLIN4Certification Authority Openssl s_client -connect 10.1.1.2:1389 -cert /home/colinpaice/ssl/ssl2/ecec.pem -key /home/colinpaice/ssl/ssl2/ -CAfile ~/ssl/ssl2/colinpaice.pem -x509_strict This starts a TLS handshake and prints out in easy to understand format, what is going on. I found a great program openssl s_client. To format it go into USS and use the command gsktrace > out, and edit the file “out”. For example an Elliptic curve is only supported in TLS 1.3.īy default the trace goes to /tmp/gskssl.%.trc. Some “errors” are recorded in the GSKTRACE as “INFO”. Once I had TLS to LDAP working, I used GSK_TRACE=0x04 to trace just errors. In the LDAP environment file I added GSK_TRACE=0xff. Getting the trace was easy, understanding it was harder. ![]() After a day I stumbled on a different approach. You can get out a trace on z/OS, but not on other platforms. With Java you can get out a trace of the TLS conversation. IBM products use GSKIT to manage keystores and TLS between sessions. I had been trying to get an IBM product on Linux to talk to LDAP using TLS and certificate authentication where I give a certificate instead of a LDAP userid and password.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |