Troubleshooting/debugging self-signed SSL certs/OCSInventory

[z3R0]

So I've set up OCSInventory (OCS) on FreeBSD 10.3 and I'm having problems trying to get the OCSInventory agent to communicate properly with the server. I'm running the latest version of OCS which requires SSL to function. I've generated a self-signed cert but the handshake is failing. The server is running OpenSSL v1.0.1s and on the Mac OS X client OpenSSL v1.0.2g. The error code that is being returned by the OCS agent on the client is:

 Cannot establish communication : 500 SSL negotiation failed: error:14094410:SSL     
     routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Connecting with the openssl s_client results in the following error (relevant parts):

 No client certificate CA names sent
     ...
     Verify return code: 18 (self signed certificate)

I don't know if the conflict is due to the cert being generated with the older version of OpenSSL on the server and the client running a newer version.

I'm thinking that I'll have to update OpenSSL on the server side and regenerate the certs, but if anyone has gone through this I'd appreciate any help!

Thanks!

 

[SirDice]

It's failing because it cannot verify the certificate. You'll have to add your CA key to the chain so the certificate can be verified.

 

[z3R0]

Here are the steps I followed:

1. openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.crt
2. openssl req -days 3650 -nodes -new -keyout server.key -out server.csr
3. openssl x509 -req -days 3650 -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial
4. openssl req -days 3650 -nodes -new -keyout client.key -out client.csr
5. openssl x509 -req -days 3650 -in client.csr -out client.crt -CA ca.crt -CAkey ca.key
6. openssl x509 -in client.crt -out client.pem -outform PEM

Doesn't #3 add the CA to the chain? I only installed the client.pem cert on the client. Do I need to install the CA cert as well on the client?

 

[SirDice]

Do I need to install the CA cert as well on the client?

Yes, otherwise the client has no way to verify if the certificate is valid or not.

 

[z3R0]

Server settings in httpd-ssl.conf :

SSLCertificateKeyFile "/etc/ssl/private/server.key"
SSLCertificateFile "/etc/ssl/certs/server.crt"
SSLCertificateChainFile "/etc/ssl/ca/ca.crt"

I do not have the following set (should I?):

SSLCACertificatePath
SSLCACertificateFile

 

[SirDice]

Yes, but that still won't allow the client to check the certificate. The server will present a certificate to the client, client checks the certificate and sees it's signed by an unknown CA. In order for the client-side check to succeed it has know, and trust, the CA. This is why security/ca_root_nss has a bunch of root CA certificates from common, trusted, authorities like VeriSign/Symantec.

 

[z3R0]

Well I installed the root ca cert and the issue persists. I'm going to regenerate the certs with stronger encryption 2048 vs 1024 to see if that makes a different. The browser I tested on had a message stating that it was weak encryption.