Hello,

I was wondering am I doing something wrong or strict and loose client
auth options in syslog connector 6.1r10 are not working as they should.

So, here goes the story:


- I generated two self signed certificates cert1.pem and cert2.pem

Code:
--------------------

# openssl req -nodes -new -x509 -days 365 -keyout cert1.pem -out cert1.pem
# openssl req -nodes -new -x509 -days 365 -keyout cert2.pem -out cert2.pem

--------------------

- I created trust store with only one of the certs inside

Code:
--------------------

# TruststoreCreator.bat
Enter the file name for the truststore: ts
Enter the password to create truststore:*****
Enter the list of certificates to import (comma seperated): cert1.pem
Created ts successfully

--------------------

- I imported the truststore into syslog event source server.


And now the testing part, which is not working as I expected

2
- connection with cert1, the one which is in the truststore

Code:
--------------------

# openssl s_client -connect 161.89.25.232:11514 -ssl3 -cert cert1.pem
CONNECTED(00000003)
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify return:1
---
Certificate chain
0 s:/C=US/CN=Novell NSure Audit
i:/C=US/CN=Novell NSure Audit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBpDCCAU6gAwIBAgIEJwUZdzANBgkqhkiG9w0BAQQFADAqMQ swCQYDVQQGEwJV
UzEbMBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTAzMD MzMDAzMDgyNloX
DTEzMDMyNzAzMDgyNlowKjELMAkGA1UEBhMCVVMxGzAZBgNVBA MTEk5vdmVsbCBO
U3VyZSBBdWRpdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDAfC h6d4GOmYd16WB0
gkdFxutR9O0R7sceFY4di2GJCCol+Nl2iQjo8q1KVz1dautEFo QiS/JzqwLJmmg5
PqBzAgMBAAGjXDBaMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBTApKjt/Z4YUzX2MlmGJhNs/Xco5jAYBgxghkgBhvg3AYJbCgEECBYG
TkF1ZGl0MA0GCSqGSIb3DQEBBAUAA0EAmoj+rclCSq9OZYwrlj fzElFWtzDPgEe0
6V6y0W0ooRj4bDbDFQ2of6HRbJfhsPHT8wAs/MV/4LsvVYOXGAiH8g==
-----END CERTIFICATE-----
subject=/C=US/CN=Novell NSure Audit
issuer=/C=US/CN=Novell NSure Audit
---
Acceptable client certificate CA names
/C=PL/ST=""/L=Bydgoszcz/O=Atos/CN=srv-hps-tdpc-linux
---
SSL handshake has read 1066 bytes and written 1195 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 50659BC381FD38D5D085E5ED19C07248B3E69529A98487A8AB 36E73D91A9F9D1
Session-ID-ctx:
Master-Key: 71413B718A9A315C0BB938D1E521544BD9A68E648F299E9D39 6BAB90B625F258B4081DE7B5E77943B9B09DA9833A3464
Key-Arg : None
Start Time: 1348834683
Timeout : 7200 (sec)
Verify return code: 26 (unsupported certificate purpose)
---
^D
DONE

--------------------

above does work, as I expected.
- connection with cert2, the one which is NOT in the truststore

Code:
--------------------

# openssl s_client -connect 161.89.25.232:11514 -ssl3 -cert cert2.pem
CONNECTED(00000003)
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify return:1
3402:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1094:SSL alert number 46
3402:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

--------------------

above does not work, as I expected.
- connection without any client cert

Code:
--------------------

# openssl s_client -connect 161.89.25.232:11514 -ssl3
CONNECTED(00000003)
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 /C=US/CN=Novell NSure Audit
verify return:1
---
Certificate chain
0 s:/C=US/CN=Novell NSure Audit
i:/C=US/CN=Novell NSure Audit
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBpDCCAU6gAwIBAgIEJwUZdzANBgkqhkiG9w0BAQQFADAqMQ swCQYDVQQGEwJV
UzEbMBkGA1UEAxMSTm92ZWxsIE5TdXJlIEF1ZGl0MB4XDTAzMD MzMDAzMDgyNloX
DTEzMDMyNzAzMDgyNlowKjELMAkGA1UEBhMCVVMxGzAZBgNVBA MTEk5vdmVsbCBO
U3VyZSBBdWRpdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDAfC h6d4GOmYd16WB0
gkdFxutR9O0R7sceFY4di2GJCCol+Nl2iQjo8q1KVz1dautEFo QiS/JzqwLJmmg5
PqBzAgMBAAGjXDBaMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBTApKjt/Z4YUzX2MlmGJhNs/Xco5jAYBgxghkgBhvg3AYJbCgEECBYG
TkF1ZGl0MA0GCSqGSIb3DQEBBAUAA0EAmoj+rclCSq9OZYwrlj fzElFWtzDPgEe0
6V6y0W0ooRj4bDbDFQ2of6HRbJfhsPHT8wAs/MV/4LsvVYOXGAiH8g==
-----END CERTIFICATE-----
subject=/C=US/CN=Novell NSure Audit
issuer=/C=US/CN=Novell NSure Audit
---
Acceptable client certificate CA names
/C=PL/ST=""/L=Bydgoszcz/O=Atos/CN=srv-hps-tdpc-linux
---
SSL handshake has read 1066 bytes and written 290 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 512 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 50659C7569650612B021BC0F835FDD19A0D6C79FE84BE57237 5AE86AF54984FD
Session-ID-ctx:
Master-Key: 94523619B9D4F8180EAC0A576A4432E1E8F24813F59F9F368E 86000A2973DAD70D72DE7717C08C25CDB4A77348446911
Key-Arg : None
Start Time: 1348834862
Timeout : 7200 (sec)
Verify return code: 26 (unsupported certificate purpose)
---
^D
DONE

--------------------

connection DOES work, how?

The same happens if I select loose client auth and I don't specify any
client cert. The connection also works.
Any hints?

PS.
I dumped ssl handshake; the interesting part highlighted

[image: http://s9.postimage.org/ef2pkchr3/20..._15h07_23.png]

Bug or not a bug?


--
piotr_chmylkowski
------------------------------------------------------------------------
piotr_chmylkowski's Profile: https://forums.netiq.com/member.php?userid=1605
View this thread: https://forums.netiq.com/showthread.php?t=42653