I am working on a custom c++ client to connect to the Afilias registry. I have been successful with the Java RTK implementation and have successfully used it many times to register production names.
In my C++ client, I am using THE SAME certificate and private key but in PEM format (like a text file) rather than pkcs12 format like the Java implementation uses and I am using OpenSSL.
I am unable to establish a connection with the Afilias OT&E environment.
I did an experiment with the OpenSSL tools to see if I could determine the source of the problem. I connected to the Verisign registry just fine but I cannot connect to the Afilias registry. The output of the program is at the bottom.
I am using THE SAME certificate and private key pair with OpenSSL that I use with the Java RTK implementation.
Can you help me?
<snip>
--
-- START openssl program output connecting to Afilias --
--
C:\certs>openssl s_client -connect ote1.afilias.net:65000 -cert c:\certs\netscap
e.pem
Loading 'screen' into random state - done
CONNECTED(000001CC)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certificatio
n Services Division/CN=Thawte Server CA/Email=server-certs@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
1588:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:.\s
sl\s3_pkt.c:964:SSL alert number 42
1588:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib
.c:226:
--
-- END openssl program output connecting to Afilias --
--
--
-- START openssl program output connecting to Verisign --
--
C:\certs>openssl s_client -connect trrp1.verisign-grs.net:648 -cert c:\certs\net
scape.pem
Loading 'screen' into random state - done
CONNECTED(000001C8)
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Virginia/L=Dulles/O=Network Solutions, Inc./OU=VeriSign Global Reg
istry Services/CN=crsnic.net
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
1 s:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICbjCCAdsCEHAlKePr7T8mqEP5CFO+FEQwDQYJKoZIhvcNAQEEBQAwXzELMAkG
A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAx
MDQxMDAwMDAwMFoXDTAyMDQxMDIzNTk1OVowgZQxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhWaXJnaW5pYTEPMA0GA1UEBxQGRHVsbGVzMSAwHgYDVQQKFBdOZXR3b3Jr
IFNvbHV0aW9ucywgSW5jLjEqMCgGA1UECxQhVmVyaVNpZ24gR2xvYmFsIFJlZ2lz
dHJ5IFNlcnZpY2VzMRMwEQYDVQQDFApjcnNuaWMubmV0MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDJtM1QHSUKXuyNISW3nXWPJ9wN22RYBv8Xf0K6Ew/OgLX1
NiYmEoVEHKsqTg0f1ULl2uV9wPM+x1/qko48SB+d0oAfHPUvGcrlQmVFFdqbhtL9
I/tPHiqwjApCXSHjSGCGxBTTHE7UDz0Fn8BcEAEsc/MwenLN8qBM1/QfPQXQDwID
AQABMA0GCSqGSIb3DQEBBAUAA34ANQ7lCbSzhKqDBTyO/CoPkW0Gs8KBvWs7XkBM
3PV9idBxK6LzeEGgNouVpci1mEAXqnLqJXpdqKng38lBewg8AkdCyAGi6zGcIDio
oKceXiGGLqzIAcFYUlKdkrrPQxxlbqW1+wW9YVfBAgfwHTHda0OqAEZ8SeA17aVR
qok=
-----END CERTIFICATE-----
subject=/C=US/ST=Virginia/L=Dulles/O=Network Solutions, Inc./OU=VeriSign Global
Registry Services/CN=crsnic.net
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Acceptable client certificate CA names
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
/CN=Test DSA CA/C=CA/L=Toronto/ST=Ontario/O=LavaX Canada Ltd./OU=Certification D
ivision/Email=info@lavaX.com
---
SSL handshake has read 2006 bytes and written 1363 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key: D33A3793E1CC35C12383F17A95795C514EC0996E6B7A102D1C95729E3F75562D
0E6460F10B367F1C5CEE7AC52C3A22A3
Key-Arg : None
Start Time: 997898917
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
NSI RRP Server version 1.1.0
Mon Oct 25 20:20:34 EDT 1999
.
--
-- END openssl program output connecting to Verisign --
--
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
k, that didn't make much sense... They are using RSA keys and not PKCS12 keys. I think that's right. ah, heck, SSL is such a pain. I ended up working for three days straight getting SSL to work with JSSE. hmmm.. maybe you've worked this through and my "helpful" hints aren't terribly "helpful" now.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I am working on a custom c++ client to connect to the Afilias registry. I have been successful with the Java RTK implementation and have successfully used it many times to register production names.
In my C++ client, I am using THE SAME certificate and private key but in PEM format (like a text file) rather than pkcs12 format like the Java implementation uses and I am using OpenSSL.
I am unable to establish a connection with the Afilias OT&E environment.
I did an experiment with the OpenSSL tools to see if I could determine the source of the problem. I connected to the Verisign registry just fine but I cannot connect to the Afilias registry. The output of the program is at the bottom.
I am using THE SAME certificate and private key pair with OpenSSL that I use with the Java RTK implementation.
Can you help me?
<snip>
--
-- START openssl program output connecting to Afilias --
--
C:\certs>openssl s_client -connect ote1.afilias.net:65000 -cert c:\certs\netscap
e.pem
Loading 'screen' into random state - done
CONNECTED(000001CC)
depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certificatio
n Services Division/CN=Thawte Server CA/Email=server-certs@thawte.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
1588:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:.\s
sl\s3_pkt.c:964:SSL alert number 42
1588:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib
.c:226:
--
-- END openssl program output connecting to Afilias --
--
----------------------------------------------------------------------------------
--
-- START openssl program output connecting to Verisign --
--
C:\certs>openssl s_client -connect trrp1.verisign-grs.net:648 -cert c:\certs\net
scape.pem
Loading 'screen' into random state - done
CONNECTED(000001C8)
depth=1 /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=US/ST=Virginia/L=Dulles/O=Network Solutions, Inc./OU=VeriSign Global Reg
istry Services/CN=crsnic.net
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
1 s:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICbjCCAdsCEHAlKePr7T8mqEP5CFO+FEQwDQYJKoZIhvcNAQEEBQAwXzELMAkG
A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTAx
MDQxMDAwMDAwMFoXDTAyMDQxMDIzNTk1OVowgZQxCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhWaXJnaW5pYTEPMA0GA1UEBxQGRHVsbGVzMSAwHgYDVQQKFBdOZXR3b3Jr
IFNvbHV0aW9ucywgSW5jLjEqMCgGA1UECxQhVmVyaVNpZ24gR2xvYmFsIFJlZ2lz
dHJ5IFNlcnZpY2VzMRMwEQYDVQQDFApjcnNuaWMubmV0MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDJtM1QHSUKXuyNISW3nXWPJ9wN22RYBv8Xf0K6Ew/OgLX1
NiYmEoVEHKsqTg0f1ULl2uV9wPM+x1/qko48SB+d0oAfHPUvGcrlQmVFFdqbhtL9
I/tPHiqwjApCXSHjSGCGxBTTHE7UDz0Fn8BcEAEsc/MwenLN8qBM1/QfPQXQDwID
AQABMA0GCSqGSIb3DQEBBAUAA34ANQ7lCbSzhKqDBTyO/CoPkW0Gs8KBvWs7XkBM
3PV9idBxK6LzeEGgNouVpci1mEAXqnLqJXpdqKng38lBewg8AkdCyAGi6zGcIDio
oKceXiGGLqzIAcFYUlKdkrrPQxxlbqW1+wW9YVfBAgfwHTHda0OqAEZ8SeA17aVR
qok=
-----END CERTIFICATE-----
subject=/C=US/ST=Virginia/L=Dulles/O=Network Solutions, Inc./OU=VeriSign Global
Registry Services/CN=crsnic.net
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Acceptable client certificate CA names
/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
/CN=Test DSA CA/C=CA/L=Toronto/ST=Ontario/O=LavaX Canada Ltd./OU=Certification D
ivision/Email=info@lavaX.com
---
SSL handshake has read 2006 bytes and written 1363 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key: D33A3793E1CC35C12383F17A95795C514EC0996E6B7A102D1C95729E3F75562D
0E6460F10B367F1C5CEE7AC52C3A22A3
Key-Arg : None
Start Time: 997898917
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
NSI RRP Server version 1.1.0
Mon Oct 25 20:20:34 EDT 1999
.
--
-- END openssl program output connecting to Verisign --
--
So you're not using the C++ RTK from SF? Have you taken a look at their connection code and tried the sample? They are using PEM formats, though.
k, that didn't make much sense... They are using RSA keys and not PKCS12 keys. I think that's right. ah, heck, SSL is such a pain. I ended up working for three days straight getting SSL to work with JSSE. hmmm.. maybe you've worked this through and my "helpful" hints aren't terribly "helpful" now.
I've had a similar problem myself. You may need the Thawte root server in your certificate chain. Verisign don't check this.