help connecting to Afilias

Help
2001-08-15
2001-08-30
  • Chris Cowherd
    Chris Cowherd
    2001-08-15

    I am working on a custom c++ client to connect to the Afilias registry.  I have been successful with the Java RTK implementation and have successfully used it many times to register production names.

    In my C++ client, I am using THE SAME certificate and private key but in PEM format (like a text file) rather than pkcs12 format like the Java implementation uses and I am using OpenSSL.

    I am unable to establish a connection with the Afilias OT&E environment.

    I did an experiment with the OpenSSL tools to see if I could determine the source of the problem.  I connected to the Verisign registry just fine but I cannot connect to the Afilias registry.  The output of the program is at the bottom.

    I am using THE SAME certificate and private key pair with OpenSSL that I use with the Java RTK implementation.

    Can you help me?

    <snip>

    --
    -- START openssl program output connecting to Afilias --
    --
    C:\certs>openssl s_client -connect ote1.afilias.net:65000 -cert c:\certs\netscap
    e.pem
    Loading 'screen' into random state - done
    CONNECTED(000001CC)
    depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certificatio
    n Services Division/CN=Thawte Server CA/Email=server-certs@thawte.com
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    1588:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:.\s
    sl\s3_pkt.c:964:SSL alert number 42
    1588:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib
    .c:226:
    --
    -- END openssl program output connecting to Afilias --
    --

    ----------------------------------------------------------------------------------

    --
    -- START openssl program output connecting to Verisign --
    --
    C:\certs>openssl s_client -connect trrp1.verisign-grs.net:648 -cert c:\certs\net
    scape.pem
    Loading 'screen' into random state - done
    CONNECTED(000001C8)
    depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    ---
    Certificate chain
    0 s:/C=US/ST=Virginia/L=Dulles/O=Network Solutions, Inc./OU=VeriSign Global Reg
    istry Services/CN=crsnic.net
       i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    1 s:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
       i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIICbjCCAdsCEHAlKePr7T8mqEP5CFO+FEQwDQYJKoZIhvcNAQEEBQAwXzELMAkG
    A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
    VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAx
    MDQxMDAwMDAwMFoXDTAyMDQxMDIzNTk1OVowgZQxCzAJBgNVBAYTAlVTMREwDwYD
    VQQIEwhWaXJnaW5pYTEPMA0GA1UEBxQGRHVsbGVzMSAwHgYDVQQKFBdOZXR3b3Jr
    IFNvbHV0aW9ucywgSW5jLjEqMCgGA1UECxQhVmVyaVNpZ24gR2xvYmFsIFJlZ2lz
    dHJ5IFNlcnZpY2VzMRMwEQYDVQQDFApjcnNuaWMubmV0MIGfMA0GCSqGSIb3DQEB
    AQUAA4GNADCBiQKBgQDJtM1QHSUKXuyNISW3nXWPJ9wN22RYBv8Xf0K6Ew/OgLX1
    NiYmEoVEHKsqTg0f1ULl2uV9wPM+x1/qko48SB+d0oAfHPUvGcrlQmVFFdqbhtL9
    I/tPHiqwjApCXSHjSGCGxBTTHE7UDz0Fn8BcEAEsc/MwenLN8qBM1/QfPQXQDwID
    AQABMA0GCSqGSIb3DQEBBAUAA34ANQ7lCbSzhKqDBTyO/CoPkW0Gs8KBvWs7XkBM
    3PV9idBxK6LzeEGgNouVpci1mEAXqnLqJXpdqKng38lBewg8AkdCyAGi6zGcIDio
    oKceXiGGLqzIAcFYUlKdkrrPQxxlbqW1+wW9YVfBAgfwHTHda0OqAEZ8SeA17aVR
    qok=
    -----END CERTIFICATE-----
    subject=/C=US/ST=Virginia/L=Dulles/O=Network Solutions, Inc./OU=VeriSign Global
    Registry Services/CN=crsnic.net
    issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    ---
    Acceptable client certificate CA names
    /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    /CN=Test DSA CA/C=CA/L=Toronto/ST=Ontario/O=LavaX Canada Ltd./OU=Certification D
    ivision/Email=info@lavaX.com
    ---
    SSL handshake has read 2006 bytes and written 1363 bytes
    ---
    New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
    Server public key is 1024 bit
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : EDH-RSA-DES-CBC3-SHA
        Session-ID:
        Session-ID-ctx:
        Master-Key: D33A3793E1CC35C12383F17A95795C514EC0996E6B7A102D1C95729E3F75562D
    0E6460F10B367F1C5CEE7AC52C3A22A3
        Key-Arg   : None
        Start Time: 997898917
        Timeout   : 300 (sec)
        Verify return code: 19 (self signed certificate in certificate chain)
    ---
    NSI RRP Server version 1.1.0
    Mon Oct 25 20:20:34 EDT 1999
    .
    --
    -- END openssl program output connecting to Verisign --
    --

     
    • Daniel Manley
      Daniel Manley
      2001-08-30

      So you're not using the C++ RTK from SF?  Have you taken a look at their connection code and tried the sample?  They are using PEM formats, though.

       
      • Daniel Manley
        Daniel Manley
        2001-08-30

        k, that didn't make much sense... They are using RSA keys and not PKCS12 keys.  I think that's right.  ah, heck, SSL is such a pain.  I ended up working for three days straight getting SSL to work with JSSE.  hmmm.. maybe you've worked this through and my "helpful" hints aren't terribly "helpful" now.

         
    • Dave Sumpter
      Dave Sumpter
      2001-08-30

      I've had a similar problem myself. You may need the Thawte root server in your certificate chain. Verisign don't check this.