2 Certificate problems

OpenSSL used with CRLs and for some CA in the certificate chain its CRL is not included in TLSCRLFile

In TLS server log in case of mbed TLS (PolarSSL) and OpenSSL peers:

failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
           file s3_srvr.c line 3251: error:14089086: SSL routines:ssl3_get_client_certificate:certificate verify failed: \
           TLS write fatal alert "unknown CA"
Copy
✔ Copied

In TLS server log in case of GnuTLS peer:

failed to accept an incoming connection: from 127.0.0.1: TLS handshake with 127.0.0.1 returned error code 1: \
           file rsa_pk1.c line 103: error:0407006A: rsa routines:RSA_padding_check_PKCS1_type_1:\
           block type is not 01 file rsa_eay.c line 705: error:04067072: rsa routines:RSA_EAY_PUBLIC_DECRYPT:paddin
Copy
✔ Copied

CRL expired or expires during server operation

OpenSSL, in server log:

  • before expiration:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
           SSL routines:ssl3_get_server_certificate:certificate verify failed:\
           TLS write fatal alert "certificate revoked"
Copy
✔ Copied
  • after expiration:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           SSL_connect() returned SSL_ERROR_SSL: file s3_clnt.c line 1253: error:14090086:\
           SSL routines:ssl3_get_server_certificate:certificate verify failed:\
           TLS write fatal alert "certificate expired"
Copy
✔ Copied

The point here is that with valid CRL a revoked certificate is reported as "certificate revoked". When CRL expires the error message changes to "certificate expired" which is quite misleading.

GnuTLS, in server log:

  • before and after expiration the same:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
             invalid peer certificate: The certificate is NOT trusted. The certificate chain is revoked.
Copy
✔ Copied

mbed TLS (PolarSSL), in server log:

  • before expiration:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
           invalid peer certificate: revoked
Copy
✔ Copied
  • after expiration:
cannot connect to proxy "proxy-openssl-1.0.1e": TCP successful, cannot establish TLS to [[127.0.0.1]:20004]:\
             invalid peer certificate: revoked, CRL expired
Copy
✔ Copied
To toggle search highlight, press Ctrl+Alt+H
Have an improvement suggestion for this page? Select the text that could be improved and press Ctrl+Enter to send it to the editors.