# openssl s_client -connect lobo99.com:4443 -prexit
CONNECTED(00000003) depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify return:1 --- Certificate chain 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- Server certificate -----BEGIN CERTIFICATE----- MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5 I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK 1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w= -----END CERTIFICATE----- subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- No client certificate CA names sent --- SSL handshake has read 1134 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 259139CDC82A2074ABAF3B686B49A1514999E91C1ECEFFF67D4A0ED81D4EDEAF Session-ID-ctx: Master-Key: 16080FCCE327191EEF97BF191992CD282FDD9685C40E7ADA15C7A3A3A844252195414690BA49C48D9EFCEB45D7AD8EA1 Key-Arg : None Start Time: 1384450622 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
Entonces hacemos la petición:
GET /cert
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify return:1 7445:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1108:SSL alert number 40 7445:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:1012: --- Certificate chain 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- Server certificate -----BEGIN CERTIFICATE----- MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5 I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK 1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w= -----END CERTIFICATE----- subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- Acceptable client certificate CA names /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- SSL handshake has read 2540 bytes and written 292 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: FE7F31365F592A612576D234792FBE3C2A80FBD17758069CE2E87A02B3A2CFFF Session-ID-ctx: Master-Key: 17477130AB689266F3E38E052D295C6506043FADCFF9DFDB658F41B43A2FF094EB036B988FC8FFA5D3E450DF5C43D031 Key-Arg : None Start Time: 1384450654 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
Vemos que da el error:
7445:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1108:SSL alert number 40 7445:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:1012:
Es porque el certificado no está dentro de los aceptados:
Acceptable client certificate CA names /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com
Ahora le pasamos el certificado personal. Clave pública: jose.crt
-----BEGIN CERTIFICATE----- MIICVjCCAb8CCQCRKNttR9iJbjANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxOTU3 WhcNMTQxMTE0MTQxOTU3WjCBgjELMAkGA1UEBhMCRVMxEjAQBgNVBAgMCUJhcmNl bG9uYTEPMA0GA1UEBwwGTWF0YXJvMQ8wDQYDVQQKDAZsZWdpZG8xHTAbBgNVBAMM FEpvc2UgTGVnaWRvIE1hcnRpbmV6MR4wHAYJKoZIhvcNAQkBFg9qb3NlQGxlZ2lk by5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALk/zUfwu8XoVJ4eHR+C N/F7W2AY/Sg1FCL+NpgplH0PU4A2QoVhAXDfV7zho4x+wv7Zbtf1Nx2Wyo5aVrkM OuL1qrYNX4ecF661L/exg1eYJI5RWQ04jnmlQ7cf1nYqZncnocb87Zp/pO0Dnk3+ kLntqPPEqCDJGr8iLiNUB5QbAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAlfmKFp7+ B/Mr+F26Y3dLeBTgLczCUaSKO/bV9zE8TCj8fl7tNg+K1SUgsgrF/lYRUMn7mvnT FcZtyaxNmOmdt7V/4U6UuJjsAJ5LPY7slfmmqE0CEzmJvmsmlW8R5Im39wiJ+Hhh jUFeKpLUrUGPilVe/4QgREHOwUxmaNaFpJA= -----END CERTIFICATE-----
Clave privada: jose.key
-----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQC5P81H8LvF6FSeHh0fgjfxe1tgGP0oNRQi/jaYKZR9D1OANkKF YQFw31e84aOMfsL+2W7X9TcdlsqOWla5DDri9aq2DV+HnBeutS/3sYNXmCSOUVkN OI55pUO3H9Z2KmZ3J6HG/O2af6TtA55N/pC57ajzxKggyRq/Ii4jVAeUGwIDAQAB AoGBAIzZ7BW0/rC9tAj9UJtygWLErndkyKfXo9XvgEc15kcobg7gMrgDR/swdh+R WK8sessXO+ZL9noy+xQ9sA7HM8Wsh9vtxxzXaxBFcqHGnAHiPuFvw0wme2pXAXZ1 8/pxo1MkW77o8OpNpDd15XFDgwK1o7UhZKTmhDITcbcQXUvRAkEA8jUgYiZr0EMi pM7oiU2eQ/0puDcP0SYK/hr/+y7H6RIa+RyRmZork5E5iHKXJHa6qfnmbIZpFCNI e0dmLqU3hQJBAMPMWAVmnPMM2FesGd4RKca8bBh3XV96WPXdtgv47CyGI1zq2hoY 6+IRBiHTWAerYuWn3bGYwvEUZQhEhp3V3x8CQQDvyl8ULPuiRUUgK2SWwsyEfTh3 k7PKGcLaTfrOQENU4ULpDDqt+q9XunheOSyfwhgNvkY9fVi8wi25NzfXyGRNAkEA kbqjwNFQ+62R0B8t2ZSYrWxMYCFng8rCL6zm9B4/Whw0cdHypv3pgwb8s2xj1sF/ CENaw/ZZEaoGUJMARrWKLQJAAylDInHteOqXRp8UP3uJsDZZ/nVGjuEcpZv6dvD8 jko1y3wSkyvm6Gzr6f4nQoZAOjuJ4hkemwKUkQr4fZYaCg== -----END RSA PRIVATE KEY-----
Vemos la info del certificado
# openssl x509 -in jose.crt -noout -text
Certificate: Data: Version: 1 (0x0) Serial Number: 91:28:db:6d:47:d8:89:6e Signature Algorithm: sha1WithRSAEncryption Issuer: C=ES, ST=Barcelona, L=Mataro, O=lobo99.com, CN=lobo99.com Validity Not Before: Nov 14 14:19:57 2013 GMT Not After : Nov 14 14:19:57 2014 GMT Subject: C=ES, ST=Barcelona, L=Mataro, O=legido, CN=Jose Legido Martinez/emailAddress=jose@legido.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b9:3f:cd:47:f0:bb:c5:e8:54:9e:1e:1d:1f:82: 37:f1:7b:5b:60:18:fd:28:35:14:22:fe:36:98:29: 94:7d:0f:53:80:36:42:85:61:01:70:df:57:bc:e1: a3:8c:7e:c2:fe:d9:6e:d7:f5:37:1d:96:ca:8e:5a: 56:b9:0c:3a:e2:f5:aa:b6:0d:5f:87:9c:17:ae:b5: 2f:f7:b1:83:57:98:24:8e:51:59:0d:38:8e:79:a5: 43:b7:1f:d6:76:2a:66:77:27:a1:c6:fc:ed:9a:7f: a4:ed:03:9e:4d:fe:90:b9:ed:a8:f3:c4:a8:20:c9: 1a:bf:22:2e:23:54:07:94:1b Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 95:f9:8a:16:9e:fe:07:f3:2b:f8:5d:ba:63:77:4b:78:14:e0: 2d:cc:c2:51:a4:8a:3b:f6:d5:f7:31:3c:4c:28:fc:7e:5e:ed: 36:0f:8a:d5:25:20:b2:0a:c5:fe:56:11:50:c9:fb:9a:f9:d3: 15:c6:6d:c9:ac:4d:98:e9:9d:b7:b5:7f:e1:4e:94:b8:98:ec: 00:9e:4b:3d:8e:ec:95:f9:a6:a8:4d:02:13:39:89:be:6b:26: 95:6f:11:e4:89:b7:f7:08:89:f8:78:61:8d:41:5e:2a:92:d4: ad:41:8f:8a:55:5e:ff:84:20:44:41:ce:c1:4c:66:68:d6:85: a4:90
El issuer está dentro de los certificados aceptados:
Issuer: C=ES, ST=Barcelona, L=Mataro, O=lobo99.com, CN=lobo99.com
Ahora hacemos la petición con el certificado y vemos como funciona OK. Primero conectamos:
# openssl s_client -key jose.key -cert jose.crt -connect lobo99.com:4443 -prexit
CONNECTED(00000003) depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify return:1 --- Certificate chain 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- Server certificate -----BEGIN CERTIFICATE----- MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5 I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK 1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w= -----END CERTIFICATE----- subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- No client certificate CA names sent --- SSL handshake has read 1134 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: B1CFF3FD9D0ED0E233823FF1161D7313C0759D32A88966B7F52A44B932494C29 Session-ID-ctx: Master-Key: 59C74C051414EEE68F4C06EEC2EBD4EA086848F5DD6A239AFB473C5D8ED9F1A2061FC6B47A960396EB283D53E9A1DF07 Key-Arg : None Start Time: 1384527110 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
Ahora hacemos la petición
# GET /cert/index.html
depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify error:num=18:self signed certificate verify return:1 depth=0 /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com verify return:1 read R BLOCK Certificado personal Valido closed --- Certificate chain 0 s:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com i:/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- Server certificate -----BEGIN CERTIFICATE----- MIICLzCCAZgCCQDNzGD1CybT2DANBgkqhkiG9w0BAQUFADBcMQswCQYDVQQGEwJF UzESMBAGA1UECAwJQmFyY2Vsb25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoM CmxvYm85OS5jb20xEzARBgNVBAMMCmxvYm85OS5jb20wHhcNMTMxMTE0MTQxMzQx WhcNMTQxMTE0MTQxMzQxWjBcMQswCQYDVQQGEwJFUzESMBAGA1UECAwJQmFyY2Vs b25hMQ8wDQYDVQQHDAZNYXRhcm8xEzARBgNVBAoMCmxvYm85OS5jb20xEzARBgNV BAMMCmxvYm85OS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMXm6oQv uvAYsDXII9E5U0pMZO+xmK+qfnM+Mtjx371BBmPOqsPvZV3V57ySFbl9li0jehbU WLai3775RBtTj2rGZzMV8/0gkntjV5VE0Ouz6eHbN60YJm/co75w70mm4H/mXbA5 I0cNwpNAngGXjrisbXH3yvRJtt1akmu5wH2VAgMBAAEwDQYJKoZIhvcNAQEFBQAD gYEAsJv09u9+25Dpkb564Wa5kGE4sJvtxD/Mc757imzLs01lkVW99EX82m4blmwK 1Mddr3pK1sdAyOON39/Jwg/TYO23McjonDlouYENvnk5VJuybHNnIrch+i+4VLOI N7h7G234EEmvpKmalB/F/ZZwdWkR1EEgPC9IReO2Ttk/c0w= -----END CERTIFICATE----- subject=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com issuer=/C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- Acceptable client certificate CA names /C=ES/ST=Barcelona/L=Mataro/O=lobo99.com/CN=lobo99.com --- SSL handshake has read 2699 bytes and written 1644 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 6F130D6FC788FB7A753469DF2A31DCBE4C8424F3F18B14334B20B1776BC5D3DA Session-ID-ctx: Master-Key: 4839F14C631B20BCEC8E789FD06C007559E3135426DBE6EAB2C43A0BAC1CBD740E38B8E19D2251BB4E72FBD7CBF80231 Key-Arg : None Start Time: 1384527161 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---