login about faq

I'm connecting to a host that requires a client certificate. Is the below failure rejecting my client certificate or does it mean chilkat is rejecting the remote servers certificate?

Thanks!

ChilkatLog:
  GetServerSslCert:
    DllDate: Dec 30 2015
    ChilkatVersion: 9.5.0.55
    UnlockPrefix: NTHttp
    Architecture: Little Endian; 64-bit
    Language: Linux Perl
    VerboseLogging: 0
    domain: mysite.com
    port: 443
    socket2Connect:
      connect2:
        connectImplicitSsl:
          clientHandshake:
            clientHandshake2:
              readHandshakeMessages:
                processAlert:
                  TlsAlert:
                    level: fatal
                    descrip: unknown certificate authority
                  --TlsAlert
                --processAlert
                Aborting handshake because of fatal alert.
              --readHandshakeMessages
            --clientHandshake2
          --clientHandshake
          Client handshake failed. (3)
        --connectImplicitSsl
        ConnectFailReason: 109
      --connect2
    --socket2Connect
    Failed.
  --GetServerSslCert
--ChilkatLog

asked Jan 18 at 09:13

titan's gravatar image

titan
1


descrip: unknown certificate authority

The signer of the certificate can not be validated on your system. Either the server has a self signed certificate or your system doesn't have the latest server authorities available to it.

link

answered Jan 18 at 09:42

TracyP's gravatar image

TracyP
1062

Thanks for your reply.

The part I'm not clear on is if my client certificate has the problem, or if it's the remote server certificate that has the 'unknown certificate authority'.

(Jan 18 at 12:04) titan

The client is unable to verify the authority of the certificate provider. This means the client doesn't have the certificate in it's local store that the servers certificate was authorized through.

Which still leaves you without a clear answer. If the server was self signed, you will never get the correct certificate in to the local machine unless you specifically download it and add it. If the server and the client are internal, you should be okay to do this. If you are accessing an external server, this is a security risk.

It may be the client hasn't been updated with public authorities.

(Jan 18 at 12:23) TracyP

The GetServerSslCert method is for retrieving the server's SSL/TLS certificate. There shouldn't be a need to use a client-certificate for this purpose.

What GetServerSslCert does is to simply make a connection to the domain/port specified, and to complete the TLS handshake. Part of the TLS handshake involves the server sending its certificate to the client. If you set a client-side certificate, then Chilkat will include the client-side certificate in the TLS handshake. (But there's really no need for that in this case.) Chilkat does it, and the server examines the client certificate and doesn't like it because it doesn't know about the certificate authority, and this causes the server (or this particular server) to issue a TLS Abort message to abort the TLS handshake.

The solution for GetServerSslCert is to omit setting the client-side certificate for that call. If your app then needs to send a POST, GET, or whatever where the client cert is needed for authentication (i.e. two-way SSL/TLS), then you'll have to first sort out the problem with the fact that your cert's root is not recognized by the server. If your cert was a self-signed certificate, then the only solution is to get a cert from a cert authority.

link

answered Jan 18 at 12:58

chilkat's gravatar image

chilkat ♦♦
11.8k316358421

Thanks Chilkat. I was tring to use GetServerSSLCert for debugging purposes, but I get the same results from $http->SynchronousRequest().

descrip: unknown certificate authority

I'm not understanding if that is the remote server rejecting my client certificate, or chilkat rejecting the servers cert.

(Jan 18 at 13:07) titan

The remote server is rejecting your client certificate.

link

answered Jan 18 at 13:10

chilkat's gravatar image

chilkat ♦♦
11.8k316358421

Thanks!!!!

(Jan 18 at 13:14) titan
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×17

Asked: Jan 18 at 09:13

Seen: 512 times

Last updated: Jan 18 at 13:14

powered by OSQA