rohc team mailing list archive

[syskan syskan <kandisyskimo@xxxxxxxxx>]

Hi Didier,
Thank you for the reply. I followed same steps and displayed the content of
pkcs#12. They contained two certificates and one encrypted private key.

Please provide more details about as you mentioned "If yes, then please
ensure that you used the same CA for both client and server".

I have used same password for both server and client and did not use export
passwords. Gave every value as same for both client and server except
 below

*Server*
Common Name (e.g. server FQDN or YOUR name) []:IpRohcServer
/etc/pki/CA/certs/IpRohcServer/newcert.p12


*Client*
Common Name (e.g. server FQDN or YOUR name) []:IpRohcClient1
/etc/pki/CA/certs/IpRohcClient1/newcert.p12

Thanks,
Kimo


On Sun, Oct 18, 2015 at 5:59 AM, Didier Barvaux <didier@xxxxxxxxxxx> wrote:

> Hello,
>
> My answers below.
>
> > I am testing IP ROHC on cent OS boxes. Installed software version is
> > iprohc-main. Installed server and client on two different cent os
> > boxes(centos 7.1). Created certificates for client and server as per
> > below URL.
> >
> > http://rohc-lib.org/wiki/doku.php?id=iprohc-run
> >
> > Started the server successfully, When IP ROHC client is connected with
> > Server using below command
> > iprohc_client --remote x.x.x.x --port 3126 --dev iprohc -b eth0 --p12
> > /etc/pki/CA/certs/IpRohcClient1/client1.p12, server is throwing below
> > errors as below.
> >
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [main] new connection
> > from client
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [main] will store
> > client 1/50 at index 0
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: [104.131.12.124] new
> > connection from 104.131.12.124:51237
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: start of thread
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: TLS handshake succeeded
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: certificate cannot be
> > verified (status 66)
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: - unable to trust
> > certificate issuer
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: close TLS session
> > Oct 14 11:26:22 kkmubuntu iprohc_server[3465]: end of thread
> >
> > Please suggest me.
>
> According to GnuTLS documentation, status 66 means that:
>
>   "The certificate's issuer is not known. This is the case if the
>    issuer is not included in the trusted certificate list."
>
> When you created the certificates, did you use the "-certfile
> demoCA/cacert.pem" option for the "openssl pkcs12" command as specified
> in the wiki page https://rohc-lib.org/wiki/doku.php?id=iprohc-run ?
> This is needed for both server and client.
>
> If unsure, ask OpenSSL to display the content of the PKCS#12 files:
> $ openssl pkcs12 -in demoCA/certs/IpRohcServer/newcert.p12 -info
> $ openssl pkcs12 -in demoCA/certs/IpRohcClient1/newcert.p12 -info
>
> They should both contain 2 certificates and one encrypted private key.
> If not, delete them and re-run the "openssl pkcs12" command with all
> arguments. If yes, then please ensure that you used the same CA for
> both client and server.
>
> Regards,
> Didier
>
> _______________________________________________
> Mailing list: https://launchpad.net/~rohc
> Post to     : rohc@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~rohc
> More help   : https://help.launchpad.net/ListHelp
>
>