OpenSSL and OCS and Windows 2003 CA

[BoNes]

I am trying to enable TLS connectivity between my application which
uses a 3rd party app which requires OpenSSL to Office Communicator
Server (OCS).

I suppose the applications on the platforms do not matter at this
stage- I have a CA on my Domain Controller and the OCS server uses
this when it applies its certificates when being configured.

So on my application/platform I issued a certificate from the same CA
(tried exporting, creating,etc,etc all methods) , converted the PFX to
PEM format for OpenSSL using the "openssl pkcs12 -in X:\dir\certA.pfx -
out X:\dir\certA.pem -nodes" to do this.

I apply this certificate to the machine with my application, it is
read in and loaded and added to the trusted CA via the 3rd party API's
fine.

When I try and enable TLS I get handshaking (Server/Client Hello sent)
but it then suddenly terminates. The error I am getting is on my
applications server and not the OCS machine. The logs (Wireshark /OCS
logger) tell me
"The peer certificate does not contain a matching FQDN"

I have tried all I know in creating these certificates but no joy same
error every time.
I have tried:
Exporting the actual certificate from OCS
A new certificate from the same CA
Reused the same certificate

Is the conversion incorrect perhaps, any ideas/suggestions would be
gratefully appreciated

Regards

 

[S. Pidgorny]

I reckon everything may be okay with the certificate format, and the error
message is self-explanatory: a certificate for one FQDN is expected, for
another is presnted. Unfortunately you don't give enough information that
allows to tell what is the FQDN in question and its place in your
infrastructure.

I'd recommend using s_client (a part of OpenSSL suite) for SSL handshake
verification.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"BoNes" <eoinmoon@gmail.com> wrote in message
news:1194954318.174198.118600@v2g2000hsf.googlegroups.com...
>I am trying to enable TLS connectivity between my application which
> uses a 3rd party app which requires OpenSSL to Office Communicator
> Server (OCS).
>
> I suppose the applications on the platforms do not matter at this
> stage- I have a CA on my Domain Controller and the OCS server uses
> this when it applies its certificates when being configured.
>
> So on my application/platform I issued a certificate from the same CA
> (tried exporting, creating,etc,etc all methods) , converted the PFX to
> PEM format for OpenSSL using the "openssl pkcs12 -in X:\dir\certA.pfx -
> out X:\dir\certA.pem -nodes" to do this.
>
> I apply this certificate to the machine with my application, it is
> read in and loaded and added to the trusted CA via the 3rd party API's
> fine.
>
> When I try and enable TLS I get handshaking (Server/Client Hello sent)
> but it then suddenly terminates. The error I am getting is on my
> applications server and not the OCS machine. The logs (Wireshark /OCS
> logger) tell me
> "The peer certificate does not contain a matching FQDN"
>
> I have tried all I know in creating these certificates but no joy same
> error every time.
> I have tried:
> Exporting the actual certificate from OCS
> A new certificate from the same CA
> Reused the same certificate
>
> Is the conversion incorrect perhaps, any ideas/suggestions would be
> gratefully appreciated
>
> Regards
>

 

[BoNes]

On 14 Nov, 09:27, "S. Pidgorny <MVP>" <slavi...@yahoo.com> wrote:
> I reckon everything may be okay with the certificate format, and the error
> message is self-explanatory: a certificate for one FQDN is expected, for
> another is presnted. Unfortunately you don't give enough information that
> allows to tell what is the FQDN in question and its place in your
> infrastructure.
>
> I'd recommend using s_client (a part of OpenSSL suite) for SSL handshake
> verification.
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> *http://sl.mvps.org*http://msmvps.com/blogs/sp*
>
> "BoNes" <eoinm...@gmail.com> wrote in message
>
> news:1194954318.174198.118600@v2g2000hsf.googlegroups.com...
>
> >I am trying to enable TLS connectivity between my application which
> > uses a 3rd party app which requires OpenSSL to Office Communicator
> > Server (OCS).
>
> > I suppose the applications on the platforms do not matter at this
> > stage- I have a CA on my Domain Controller and the OCS server uses
> > this when it applies its certificates when being configured.
>
> > So on my application/platform I issued a certificate from the same CA
> > (tried exporting, creating,etc,etc all methods) , converted the PFX to
> > PEM format for OpenSSL using the "openssl pkcs12 -in X:\dir\certA.pfx -
> > out X:\dir\certA.pem -nodes" to do this.
>
> > I apply this certificate to the machine with my application, it is
> > read in and loaded and added to the trusted CA via the 3rd party API's
> > fine.
>
> > When I try and enable TLS I get handshaking (Server/Client Hello sent)
> > but it then suddenly terminates. The error I am getting is on my
> > applications server and not the OCS machine. The logs (Wireshark /OCS
> > logger) tell me
> > "The peer certificate does not contain a matching FQDN"
>
> > I have tried all I know in creating these certificates but no joy same
> > error every time.
> > I have tried:
> > Exporting the actual certificate from OCS
> > A new certificate from the same CA
> > Reused the same certificate
>
> > Is the conversion incorrect perhaps, any ideas/suggestions would be
> > gratefully appreciated
>
> > Regards

Thanks for that, I will give it a go. Here is the certificate on the
peer (application server) maybe you will spot something in there that
I cannot.
Again many thanks for the advice. I have deleted sections because I am
unsure of how smart it is to post a certificate (even one I generated
for tests) online is.

Bag Attributes
1.3.6.1.4.1.311.17.2: <No Values>
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: <deleted by me>
Key Attributes
X509v3 Key Usage: 10
-----BEGIN RSA PRIVATE KEY-----

<deleted by me>

-----END RSA PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00
friendlyName: sipserver14
subject=/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
CN=ServerX.ocstwo.com
issuer=/DC=com/DC=ocstwo/CN=ocstwo
-----BEGIN CERTIFICATE-----

<deleted by me>

-----END CERTIFICATE-----

 

[BoNes]

OpenSSL> s_client -connect applicationserver:5061 -cert d:\tlscert
\sipccmscert.pem -CAp
ath d:\tlscert\ -state
Loading 'screen' into random state - done
CONNECTED(00000084)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
CN=serverx.ocstwo.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
CN=serverx.ocstwo.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
CN=serverx.ocstwo.com
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/CN=serverx.ocstwo.com
i:/DC=com/DC=ocstwo/CN=ocstwo
---
Server certificate
-----BEGIN CERTIFICATE-----
<deleted by me>

-----END CERTIFICATE-----
subject=/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
CN=serverx.ocstwo.com
issuer=/DC=com/DC=ocstwo/CN=ocstwo
---
No client certificate CA names sent
---
SSL handshake has read 1627 bytes and written 314 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
FF0B000086EC47DDC65394413EA53DD9349B0FBB51D0927A8A644CC78DFB76AC

Session-ID-ctx:
Master-Key:
EBD3E560F715166AA7B389973E0792031047E28FEA6E0B1A6E320775C08EFBA3
AE8CB701E6C436759B595F3880F57F0F
Key-Arg : None
Start Time: 1195052123
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---

Apologies if I am posting unecessary info , very new to this and I
find it very slow going so far

 

[BoNes]

On 14 Nov, 15:10, BoNes <eoinm...@gmail.com> wrote:
> OpenSSL> s_client -connect applicationserver:5061 -cert d:\tlscert
> \sipccmscert.pem -CAp
> ath d:\tlscert\ -state
> Loading 'screen' into random state - done
> CONNECTED(00000084)
> SSL_connect:before/connect initialization
> SSL_connect:SSLv2/v3 write client hello A
> SSL_connect:SSLv3 read server hello A
> depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
> CN=serverx.ocstwo.com
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
> CN=serverx.ocstwo.com
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
> CN=serverx.ocstwo.com
> verify error:num=21:unable to verify the first certificate
> verify return:1
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:SSLv3 read finished A
> ---
> Certificate chain
> 0 s:/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/CN=serverx.ocstwo.com
> i:/DC=com/DC=ocstwo/CN=ocstwo
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> <deleted by me>
>
> -----END CERTIFICATE-----
> subject=/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
> CN=serverx.ocstwo.com
> issuer=/DC=com/DC=ocstwo/CN=ocstwo
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1627 bytes and written 314 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
> Server public key is 1024 bit
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1
> Cipher : DES-CBC3-SHA
> Session-ID:
> FF0B000086EC47DDC65394413EA53DD9349B0FBB51D0927A8A644CC78DFB76AC
>
> Session-ID-ctx:
> Master-Key:
> EBD3E560F715166AA7B389973E0792031047E28FEA6E0B1A6E320775C08EFBA3
> AE8CB701E6C436759B595F3880F57F0F
> Key-Arg : None
> Start Time: 1195052123
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
> ---
>
> Apologies if I am posting unecessary info , very new to this and I
> find it very slow going so far

sorry deleted some info when editing

I am running s_client on the application server itself, is this a
valid test or should I be trying this command on the OCS server ?

 

[S. Pidgorny]

The apparent issue is that OpenSSL doesn't trust the certificate you're
trying to use. From OpenSSL FAQ (http://www.openssl.org/support/faq.html):
"When a certificate is verified its root CA must be "trusted" by OpenSSL
this typically means that the CA certificate must be placed in a directory
or file and the relevant program configured to read it."

One other thing is that the cert is for FQDN "serverx.ocstwo.com", and
you're trying to use "applicationserver" instead. Since the two aren't the
same, touchy software (OCS) may have complaints

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"BoNes" <eoinmoon@gmail.com> wrote in message
news:1195053134.839809.229540@v3g2000hsg.googlegroups.com...
> On 14 Nov, 15:10, BoNes <eoinm...@gmail.com> wrote:
>> OpenSSL> s_client -connect applicationserver:5061 -cert d:\tlscert
>> \sipccmscert.pem -CAp
>> ath d:\tlscert\ -state
>> Loading 'screen' into random state - done
>> CONNECTED(00000084)
>> SSL_connect:before/connect initialization
>> SSL_connect:SSLv2/v3 write client hello A
>> SSL_connect:SSLv3 read server hello A
>> depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
>> CN=serverx.ocstwo.com
>> verify error:num=20:unable to get local issuer certificate
>> verify return:1
>> depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
>> CN=serverx.ocstwo.com
>> verify error:num=27:certificate not trusted
>> verify return:1
>> depth=0 /C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
>> CN=serverx.ocstwo.com
>> verify error:num=21:unable to verify the first certificate
>> verify return:1
>> SSL_connect:SSLv3 read server certificate A
>> SSL_connect:SSLv3 read server done A
>> SSL_connect:SSLv3 write client key exchange A
>> SSL_connect:SSLv3 write change cipher spec A
>> SSL_connect:SSLv3 write finished A
>> SSL_connect:SSLv3 flush data
>> SSL_connect:SSLv3 read finished A
>> ---
>> Certificate chain
>> 0 s:/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/CN=serverx.ocstwo.com
>> i:/DC=com/DC=ocstwo/CN=ocstwo
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> <deleted by me>
>>
>> -----END CERTIFICATE-----
>> subject=/C=IE/ST=Connaught/L=Galway/O=nortel/OU=sip/
>> CN=serverx.ocstwo.com
>> issuer=/DC=com/DC=ocstwo/CN=ocstwo
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1627 bytes and written 314 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
>> Server public key is 1024 bit
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : DES-CBC3-SHA
>> Session-ID:
>> FF0B000086EC47DDC65394413EA53DD9349B0FBB51D0927A8A644CC78DFB76AC
>>
>> Session-ID-ctx:
>> Master-Key:
>> EBD3E560F715166AA7B389973E0792031047E28FEA6E0B1A6E320775C08EFBA3
>> AE8CB701E6C436759B595F3880F57F0F
>> Key-Arg : None
>> Start Time: 1195052123
>> Timeout : 300 (sec)
>> Verify return code: 21 (unable to verify the first certificate)
>> ---
>>
>> Apologies if I am posting unecessary info , very new to this and I
>> find it very slow going so far
>
> sorry deleted some info when editing
>
> I am running s_client on the application server itself, is this a
> valid test or should I be trying this command on the OCS server ?
>