rohc team mailing list archive

Thread
Date

Re: IPROHC certificate cannot be verified

To: ROHC Library <rohc@xxxxxxxxxxxxxxxxxxx>
From: Didier Barvaux <didier@xxxxxxxxxxx>
Date: Sun, 18 Oct 2015 12:59:58 +0200
In-reply-to: <CAAJYMk9wiWzaYO_WnBUekVaEfEqpwmxNz7M7mUzXHfCGL0PjpA@mail.gmail.com>
Reply-to: ROHC Library <rohc@xxxxxxxxxxxxxxxxxxx>

Hello,

My answers below.

> I am testing IP ROHC on cent OS boxes. Installed software version is
> iprohc-main. Installed server and client on two different cent os
> boxes(centos 7.1). Created certificates for client and server as per
> below URL.
> 
> http://rohc-lib.org/wiki/doku.php?id=iprohc-run
> 
> Started the server successfully, When IP ROHC client is connected with
> Server using below command
> iprohc_client --remote x.x.x.x --port 3126 --dev iprohc -b eth0 --p12
> /etc/pki/CA/certs/IpRohcClient1/client1.p12, server is throwing below
> errors as below.
> 
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [main] new connection
> from client
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [main] will store
> client 1/50 at index 0
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [104.131.12.124] new
> connection from 104.131.12.124:51237
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: start of thread
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: TLS handshake succeeded
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: certificate cannot be
> verified (status 66)
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: - unable to trust
> certificate issuer
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: close TLS session
> Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: end of thread
> 
> Please suggest me.

According to GnuTLS documentation, status 66 means that:

  "The certificate's issuer is not known. This is the case if the
   issuer is not included in the trusted certificate list."

When you created the certificates, did you use the "-certfile
demoCA/cacert.pem" option for the "openssl pkcs12" command as specified
in the wiki page https://rohc-lib.org/wiki/doku.php?id=iprohc-run ?
This is needed for both server and client.

If unsure, ask OpenSSL to display the content of the PKCS#12 files:
$ openssl pkcs12 -in demoCA/certs/IpRohcServer/newcert.p12 -info
$ openssl pkcs12 -in demoCA/certs/IpRohcClient1/newcert.p12 -info

They should both contain 2 certificates and one encrypted private key.
If not, delete them and re-run the "openssl pkcs12" command with all
arguments. If yes, then please ensure that you used the same CA for
both client and server.

Regards,
Didier

Attachment: signature.asc
Description: PGP signature

Follow ups

Re: IPROHC certificate cannot be verified
From: syskan syskan, 2015-10-20
Re: IPROHC certificate cannot be verified
From: syskan syskan, 2015-10-20

References

IPROHC certificate cannot be verified
From: syskan syskan, 2015-10-15