Hi Satya,
Is this issue related to the one described in your previous email “[mbed-tls] EAP TLS - TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)”?
Kind regards, Janos
From: Satya Prakash Prasad satyaprakash.developer.unix@gmail.com Date: Friday, 12 April 2024 at 16:27 To: Janos Follath Janos.Follath@arm.com Subject: Re: [mbed-tls] CA Unknown Certificate Hi Janos,
Kindly note that I have already provided the same in my initial email. Please refer the same for your reference:
Please note that we need to give CN value different for Root and Server / Client (since I am trying got mutual trusted certificate. You can also verify the same in below way:
First console : # openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err or -Verify 1 verify depth is 1, must return a certificate Using default temp DH parameters ACCEPT
Second Console: #touch test.txt
# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err or -Verify 1 verify depth is 1, must return a certificate Using default temp DH parameters ACCEPT
On First Console we receive: # openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err or -Verify 1 verify depth is 1, must return a certificate Using default temp DH parameters ACCEPT depth=1 C = US, ST = CA, L = Somewhere, O = Someone, CN = FoobarCA verify return:1 depth=0 C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar verify return:1 FILE:test.txt
Root CA Key # openssl genrsa -des3 -out ca.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..+++++ ....+++++ e is 65537 (0x010001) Enter pass phrase for ca.key.pem:^1234^ Verifying - Enter pass phrase for ca.key.pem:^1234^
Server Private Key # openssl genrsa -out server.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................................+++++ .................................................................................................+++++ e is 65537 (0x010001)
Client Private Key # openssl genrsa -out client.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...............................+++++ ..........................+++++ e is 65537 (0x010001)
Root CA Certificate from Root CA Key # openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA Enter pass phrase for ca.key.pem:^1234^
Server CSR & Certificate from Server Private Key # openssl req -new -sha256 -key server.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^
Client CSR & Certificate from Client Private Key # openssl req -new -sha256 -key client.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^ Regards, Prakash
On Fri, Apr 12, 2024 at 5:55 PM Janos Follath <Janos.Follath@arm.commailto:Janos.Follath@arm.com> wrote: Hi Prakash,
Thank you for sharing the details about how you generated the certificates. Could you please share the command line for the server and the client as well?
Kind regards, Janos
From: Satya Prakash Prasad via mbed-tls <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Date: Friday, 12 April 2024 at 05:03 To: mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org> Subject: [mbed-tls] CA Unknown Certificate Hi,
Please note that while using MBedTLS 3.6.0, when we are trying to verify server / client connection using self-signed mutually trusted certificates we are always getting a CA Unknown Certificate error code 46 alert message.
Root CA Key # openssl genrsa -des3 -out ca.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..+++++ ....+++++ e is 65537 (0x010001) Enter pass phrase for ca.key.pem:^1234^ Verifying - Enter pass phrase for ca.key.pem:^1234^
Server Private Key # openssl genrsa -out server.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................................+++++ .................................................................................................+++++ e is 65537 (0x010001)
Client Private Key # openssl genrsa -out client.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...............................+++++ ..........................+++++ e is 65537 (0x010001)
Root CA Certificate # openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA Enter pass phrase for ca.key.pem:^1234^
Server CSR & Certificate # openssl req -new -sha256 -key server.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^
Client CSR & Certificate # openssl req -new -sha256 -key client.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^
So we have used Root CA Certificatet as trusted certificate but during handshake steps we see client reporting "Certificate Unknown'' alert error message 46?
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown) Description: Certificate Unknown (46)
Can you please let us know the issue we are doing in creating the certificates or it can also be some wrong steps / configuration while compiling the 3.6.0 release?
Regards, Prakash -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.orgmailto:mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.orgmailto:mbed-tls-leave@lists.trustedfirmware.org IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
Hi Janos,
Yes, it's related to the same issue as mentioned in my previous email.
Is there any specific information required from our side - please let me know in which scenarios "Unknown CA" would be returned?
Regards, Prakash
On Fri, Apr 12, 2024 at 9:10 PM Janos Follath Janos.Follath@arm.com wrote:
Hi Satya,
Is this issue related to the one described in your previous email “[mbed-tls] EAP TLS - TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Unknown CA)”?
Kind regards,
Janos
*From: *Satya Prakash Prasad satyaprakash.developer.unix@gmail.com *Date: *Friday, 12 April 2024 at 16:27 *To: *Janos Follath Janos.Follath@arm.com *Subject: *Re: [mbed-tls] CA Unknown Certificate
Hi Janos,
Kindly note that I have already provided the same in my initial email. Please refer the same for your reference:
Please note that we need to give CN value different for Root and Server / Client (since I am trying got mutual trusted certificate. You can also verify the same in below way:
*First console :*
# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err
or -Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
*Second Console: *
#touch test.txt
# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err
or -Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
*On First Console we receive:*
# openssl s_server -cert crt1/server.crt -key crt1/server.key -WWW -port 12345 -CAfile crt1/trusted_ca.eap.pem -verify_return_err
or -Verify 1
verify depth is 1, must return a certificate
Using default temp DH parameters
ACCEPT
*depth=1 C = US, ST = CA, L = Somewhere, O = Someone, CN = FoobarCA*
*verify return:1*
*depth=0 C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar*
*verify return:1*
*FILE:test.txt*
*Root CA Key* # openssl genrsa -des3 -out ca.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..+++++ ....+++++ e is 65537 (0x010001) Enter pass phrase for ca.key.pem:^1234^ Verifying - Enter pass phrase for ca.key.pem:^1234^
*Server Private Key* # openssl genrsa -out server.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................................+++++
.................................................................................................+++++ e is 65537 (0x010001)
*Client Private Key *# openssl genrsa -out client.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...............................+++++ ..........................+++++ e is 65537 (0x010001)
*Root CA Certificate from * *Root CA Key *# openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA Enter pass phrase for ca.key.pem:^1234^
*Server CSR & Certificate from * *Server Private Key* # openssl req -new -sha256 -key server.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^
*Client CSR & Certificate from * *Client Private Key* # openssl req -new -sha256 -key client.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^
Regards, Prakash
On Fri, Apr 12, 2024 at 5:55 PM Janos Follath Janos.Follath@arm.com wrote:
Hi Prakash,
Thank you for sharing the details about how you generated the certificates. Could you please share the command line for the server and the client as well?
Kind regards,
Janos
*From: *Satya Prakash Prasad via mbed-tls < mbed-tls@lists.trustedfirmware.org> *Date: *Friday, 12 April 2024 at 05:03 *To: *mbed-tls@lists.trustedfirmware.org < mbed-tls@lists.trustedfirmware.org> *Subject: *[mbed-tls] CA Unknown Certificate
Hi,
Please note that while using MBedTLS 3.6.0, when we are trying to verify server / client connection using self-signed mutually trusted certificates we are always getting a CA Unknown Certificate error code 46 alert message.
Root CA Key # openssl genrsa -des3 -out ca.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..+++++ ....+++++ e is 65537 (0x010001) Enter pass phrase for ca.key.pem:^1234^ Verifying - Enter pass phrase for ca.key.pem:^1234^
Server Private Key # openssl genrsa -out server.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ........................................+++++
.................................................................................................+++++ e is 65537 (0x010001)
Client Private Key # openssl genrsa -out client.key.pem 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ...............................+++++ ..........................+++++ e is 65537 (0x010001)
Root CA Certificate # openssl req -x509 -new -nodes -key ca.key.pem -sha256 -days 365 -out ca.cert.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=FoobarCA Enter pass phrase for ca.key.pem:^1234^
Server CSR & Certificate # openssl req -new -sha256 -key server.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out server.csr
# openssl x509 -req -in server.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out server.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^
Client CSR & Certificate # openssl req -new -sha256 -key client.key.pem -subj /C=US/ST=CA/L=Somewhere/O=Someone/CN=Foobar -out client.csr
# openssl x509 -req -in client.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out client.cert.pem -days 365 -sha256 Signature ok subject=C = US, ST = CA, L = Somewhere, O = Someone, CN = Foobar Getting CA Private Key Enter pass phrase for ca.key.pem:^1234^
So we have used Root CA Certificatet as trusted certificate but during handshake steps we see client reporting "Certificate Unknown'' alert error message 46?
TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown) Description: Certificate Unknown (46)
Can you please let us know the issue we are doing in creating the certificates or it can also be some wrong steps / configuration while compiling the 3.6.0 release?
Regards, Prakash -- mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
mbed-tls@lists.trustedfirmware.org
-
Janos Follath -
Satya Prakash Prasad