SSL alert 43 when doing client authentication in SSL
It seems likely that the X.509 certificate presented by the server is not valid. Could you please post the result of a 'openssl x509 -text -in your_cert_file' ?
I suspect that your certificate doesn't have the "Web Server Authentication" usage set in the "x509v3 Extended Key Usage" extension.
[edit]
Looking at the certificate you posted, the Netscape Cert Type is wrong, it is set to "SSL Server" instead of "SSL Client", if this is the client certificate.
You may also want to set some v3 extensions like X509v3 Key Usage and X509v3 extended key usage, but it is not mandatory.
If you are interested in the exact checks, you can read the OpenSSL related code in crypto/x509v3/v3purp.c
[/edit]
Darshan Prajapati
A Linux Enthusiast. Linux Promoter. Working for Linux kernel development for Embedded Devices having ARM processors. #SOreadytohelp
Updated on June 04, 2022Comments
-
Darshan Prajapati almost 2 years
I have created simple SSL client server program and in that program I am using self signed certificate which are created with my own local CA according to the help on https://help.ubuntu.com/community/OpenSSL
So I have my CA certificate and private key. Server certificate signed by my CA and Serve private key. Client certificate signed by my CA and Client private key.
Now following is the code part of client server program which shows the loading of certificate and SSL handshake.
Server:
SSL_library_init(); ctx = InitServerCTX(); /* initialize SSL */ LoadCertificates(ctx, "server_crt.pem", "server_key.pem"); /* load certs */ SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL); //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, 0); SSL_CTX_set_verify_depth(ctx, 1); SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file("cacert.pem")); server = OpenListener(atoi(portnum)); /* create server socket */ while (1) { struct sockaddr_in addr; int len = sizeof(addr); SSL *ssl; int client = accept(server, (struct sockaddr*) &addr, &len); /* accept connection as usual */ printf("Connection: %s:%d\n", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port)); ssl = SSL_new(ctx); /* get new SSL state with context */ SSL_set_fd(ssl, client); /* set connection socket to SSL state */ Servlet(ssl); /* service connection */ }Client:
SSL_library_init(); ctx = InitCTX(); LoadCertificates(ctx, "client_crt.pem", "client_key.pem"); /* load certs */ SSL_CTX_load_verify_locations(ctx, "cacert.pem", NULL); SSL_CTX_set_verify_depth(ctx, 1); server = OpenConnection(hostname, atoi(portnum)); ssl = SSL_new(ctx); /* create new SSL connection state */ SSL_set_fd(ssl, server); /* attach the socket descriptor */ if (SSL_connect(ssl) != 1) /* perform the connection */ ERR_print_errors_fp(stderr); else { char *msg = "This is Darshan"; printf("Connected with %s encryption\n", SSL_get_cipher(ssl)); ShowCerts(ssl); /* get any certs */ SSL_write(ssl, msg, strlen(msg)); /* encrypt & send message */ bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */ buf[bytes] = 0; printf("Received: \"%s\"\n", buf); SSL_free(ssl); /* release connection state */ }Now when I run this programs I get error like below in Client:
3073476808:error:14094413:SSL routines:SSL3_READ_BYTES:sslv3 alert unsupported certificate:s3_pkt.c:1248:SSL alert number 43Why I am getting this error ? My certificates are ok and both client and server certificates are signed by my CA. Please help me in finding error.
Certificate of Client:
Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: md5WithRSAEncryption Issuer: CN=My Root Certificate Authority, ST=somestate, C=IN/[email protected], O=XYZ Ltd., OU=Department Validity Not Before: Jan 18 07:50:30 2013 GMT Not After : Jan 17 07:50:30 2018 GMT Subject: CN=localhost, ST=somestate, C=IN/[email protected], O=ABC Ltd., OU=Software Department Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:c1:1e:ea:56:d9:44:05:28:cb:4e:cd:85:88:9a: 8e:8d:77:d7:80:92:7c:b5:20:89:31:45:2a:73:72: 5d:d2:01:3c:1d:18:2e:c2:72:56:4d:84:f4:21:ae: 55:d6:b5:5c:58:9a:3b:48:2c:9e:05:a4:ee:af:b7: f4:42:ef:54:9c:a1:bc:a9:b5:53:dc:69:90:d2:df: c0:e0:09:d5:e4:d4:08:a8:f2:76:1b:c5:0d:c9:13: eb:ba:76:09:a2:67:38:cc:d8:6d:44:51:78:39:03: b4:a4:a1:73:ec:d4:7d:c3:06:4b:64:6b:f7:14:d3: 1c:c9:e4:db:cc:82:5c:94:fb Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.example.com X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Signature Algorithm: md5WithRSAEncryption ba:76:2c:2a:15:f3:98:32:86:60:dc:2a:a9:a6:a8:ca:e6:a7: 74:d8:8f:0e:b2:ad:00:ef:fc:13:74:26:75:12:fa:af:4f:55: 61:75:34:77:8c:37:b9:58:ab:ee:71:9b:6d:3c:10:ab:f0:20: 73:89:7c:5c:e2:df:82:21:96:b4:91:5a:9b:f8:10:6a:4b:01: 06:7e:b6:26:bc:c1:80:21:85:d9:7f:0b:56:a3:89:5e:e1:f4: 31:d1:c9:be:a3:39:d5:51:0a:3e:b9:27:fb:82:5f:d1:24:40: f0:84:a4:f9:bc:23:11:fb:65:ad:d5:bc:2e:23:a0:5c:0f:58: a5:8b:38:f6:0c:52:65:f1:84:29:be:dd:77:73:2b:3c:b6:4c: 4e:87:3f:38:45:48:b2:50:24:7a:06:fe:ac:79:bf:04:88:d6: 5d:4b:38:f9:25:90:c9:e4:d6:7d:6b:1c:9a:78:10:5a:42:43: 8d:26:08:6e:f9:34:e1:8f:2f:bb:33:d5:96:b6:2a:35:75:c1: e5:f2:b9:3d:8a:0d:49:e8:00:3c:08:03:5a:97:e2:79:4b:1a: 9c:98:5c:ba:8b:5b:44:5c:a3:0e:6f:d5:af:5a:9e:88:4e:2e: fe:91:ae:95:83:75:68:71:04:e5:99:1b:3e:bc:a6:cf:84:2f: 98:78:25:33-----BEGIN CERTIFICATE----- MIIDiDCCAnCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBtzEsMCoGA1UEAxMjSW52 aXhpdW0gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxEDAOBgNVBAgTB0d1amFy YXQxCzAJBgNVBAYTAklOMSYwJAYJKoZIhvcNAQkBFhdkcHJhamFwYXRpQGludml4 aXVtLmNvbTEiMCAGA1UEChMZSW52aXhpdW0gQWNjZXNzIFB2dC4gTHRkLjEcMBoG A1UECxMTRW1iZWRkZWQgRGVwYXJ0bWVudDAeFw0xMzAxMTgwNzUwMzBaFw0xODAx MTcwNzUwMzBaMIGbMRAwDgYDVQQDEwdpeG0ud2ViMRAwDgYDVQQIEwdHdWphcmF0 MQswCQYDVQQGEwJJTjEmMCQGCSqGSIb3DQEJARYXZHByYWphcGF0aUBpbnZpeGl1 bS5jb20xIjAgBgNVBAoTGUludml4aXVtIEFjY2VzcyBQdnQuIEx0ZC4xHDAaBgNV BAsTE1NvZnR3YXJlIERlcGFydG1lbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBAMEe6lbZRAUoy07NhYiajo1314CSfLUgiTFFKnNyXdIBPB0YLsJyVk2E9CGu Vda1XFiaO0gsngWk7q+39ELvVJyhvKm1U9xpkNLfwOAJ1eTUCKjydhvFDckT67p2 CaJnOMzYbURReDkDtKShc+zUfcMGS2Rr9xTTHMnk28yCXJT7AgMBAAGjPTA7MBsG A1UdEQQUMBKCEHd3dy5pbnZpeGl1bS5jb20wCQYDVR0TBAIwADARBglghkgBhvhC AQEEBAMCBkAwDQYJKoZIhvcNAQEEBQADggEBALp2LCoV85gyhmDcKqmmqMrmp3TY jw6yrQDv/BN0JnUS+q9PVWF1NHeMN7lYq+5xm208EKvwIHOJfFzi34IhlrSRWpv4 EGpLAQZ+tia8wYAhhdl/C1ajiV7h9DHRyb6jOdVRCj65J/uCX9EkQPCEpPm8IxH7 Za3VvC4joFwPWKWLOPYMUmXxhCm+3XdzKzy2TE6HPzhFSLJQJHoG/qx5vwSI1l1L OPklkMnk1n1rHJp4EFpCQ40mCG75NOGPL7sz1Za2KjV1weXyuT2KDUnoADwIA1qX 4nlLGpyYXLqLW0Rcow5v1a9anohOLv6RrpWDdWhxBOWZGz68ps+EL5h4JTM= -----END CERTIFICATE-----
Client conf file:
#
example.cnf
#
[ req ] prompt = no distinguished_name = server_distinguished_name
[ server_distinguished_name ] commonName = abc.com stateOrProvinceName = NC countryName = US emailAddress = [email protected] organizationName = My Organization Name organizationalUnitName = Subunit of My Large Organization