> On Mar 5, 2018, at 12:58 AM, salil GK <gksalil@xxxxxxxxx> wrote: > > openssl s_client -cert tomcat.pem -key tomcat_priv.pem -CAfile ca.pem -connect lrc1.cisco.com:8446 > > ----- > > #$ openssl s_server -key privkey.pem -cert server.pem -accept 8446 -verify ca.pem > verify depth is 0 > Using default temp DH parameters > ACCEPT > depth=2 O = Cisco Systems, CN = trca-4096-sha2 > verify error:num=19:self signed certificate in certificate chain > ERROR > verify error:self signed certificate in certificate chain > 140011871301248:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3427: > shutting down SSL > CONNECTION CLOSED > > What is the meaning of this error and how do I correct this - ? You have not specified a "-CAfile" or "-CApath" option telling "s_server" where to look for the "O = Cisco Systems, CN = trca-4096-sha2" trusted issuer CA certificate. You've also incorrectly specified the "-verify" option, which certainly does not help. https://www.openssl.org/docs/man1.0.2/apps/openssl-s_server.html -verify depth, -Verify depth The verify depth to use. This specifies the maximum length of the client certificate chain and makes the server request a certificate from the client. With the -verify option a certificate is requested but the client does not have to send one, with the -Verify option the client must supply a certificate or an error occurs. If the ciphersuite cannot request a client certificate (for example an anonymous ciphersuite or PSK) this option has no effect. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
