Re: Getting details for "TLS trace: SSL3 alert read:fatal:unsupported certificate"

Jeffrey Walton Wed, 05 Mar 2025 07:18:04 -0800

On Wed, Mar 5, 2025 at 9:53 AM Windl, Ulrich <[email protected]> wrote:
>
>
> After „playing“ significant time with certificate authentication, I managed 
> to authenticate one user. However when I tried to authenticate a different 
> user with a similar certificate, I see a
>
>
>
> TLS trace: SSL3 alert read:fatal:unsupported certificate
>
>
>
> Error. Can I can some details about the “usupportedness” of my certificate? 
> The only thing I could think if is that uid of the newer certificate has a CN 
> that is three characters longer than the one that worked.
>


Have a look at the cert using OpenSSL and the x509 subcommand:

$ openssl x509 -in .../rsyslog/contrib/gnutls/ca.pem -inform PEM -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C = DE, O = rsyslog test root CA, OU = CA, CN =
rsyslog-test-root-ca
        Validity
            Not Before: May 20 12:58:12 2008 GMT
            Not After : May 18 12:58:24 2018 GMT
        Subject: C = DE, O = rsyslog test root CA, OU = CA, CN =
rsyslog-test-root-ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:c3:6b:3e:57:e5:82:2b:b8:f1:f4:c2:e9:0c:3e:
                    29:3b:c4:82:aa:ae:90:9c:af:c1:a6:db:ca:33:e6:
                    1e:06:b5:7d:b9:dd:e5:ab:a6:20:6e:93:66:bf:7f:
                    f0:8a:0e:37:ae:aa:68:96:a9:3b:3d:d0:f1:4d:6f:
                    e6:75:73:e6:33:bd:a8:2a:bf:cd:15:cd:9c:03:23:
                    84:5c:af:09:4d:68:aa:c1:cf:ff:57:8a:8c:02:72:
                    85:7c:b3:b1:af:57:6b:ed:64:43:d2:4e:13:73:cf:
                    81:58:93:10:8c:bd:b3:98:65:e2:48:61:05:61:66:
                    08:14:72:e6:9d:7e:19:83:23
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                33:61:04:20:52:6D:18:2C:D7:5A:AC:99:DC:D9:CD:4B:C5:85:42:94
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        b8:65:ad:1f:b2:64:a5:ad:27:fe:2c:ea:43:97:5d:0d:03:ff:
        2d:3e:ad:6a:2b:c2:c2:5a:44:60:45:3d:6a:e9:a9:40:f5:96:
        c6:d6:32:c0:a6:8f:45:f3:35:25:33:0b:02:26:1d:f0:c4:bb:
        4c:9f:13:61:1b:ef:47:7d:98:d3:66:3e:3a:15:e7:d7:5c:44:
        46:45:af:05:3d:8c:f7:2c:ea:5f:a8:43:7d:1b:9e:37:b4:53:
        7c:f5:ac:7e:6f:cd:05:35:68:8f:38:da:10:27:13:15:e9:d9:
        89:de:cf:0b:92:62:15:b7:14:e8:f4:94:31:9e:3d:fc:93:e1:
        c4:0a

> A more complete trace for ldapwhoami woul look like this:
>
> …
>
> ldap_parse_result
>
> ber_scanf fmt ({iAA) ber:
>
> ber_scanf fmt (}) ber:
>
> ldap_msgfree
>
> TLS trace: SSL_connect:before SSL initialization
>
> TLS trace: SSL_connect:SSLv3/TLS write client hello
>
> TLS trace: SSL_connect:SSLv3/TLS write client hello
>
> TLS trace: SSL_connect:SSLv3/TLS read server hello
>
> TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
>
> TLS trace: SSL_connect:SSLv3/TLS read server certificate request
>
> TLS certificate verification: depth: 2, err: 0, subject: /…. Root-CA (2018), 
> issuer: /… Root-CA (2018)
>
> TLS certificate verification: depth: 1, err: 0, subject: /… Host-CA (2018), 
> issuer: /… Root-CA (2018)
>
> TLS certificate verification: depth: 0, err: 0, subject: /… FQHN, issuer: /… 
> Host-CA (2018)
>
> TLS trace: SSL_connect:SSLv3/TLS read server certificate
>
> TLS trace: SSL_connect:TLSv1.3 read server certificate verify
>
> TLS trace: SSL_connect:SSLv3/TLS read finished
>
> TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
>
> TLS trace: SSL_connect:SSLv3/TLS write client certificate
>
> TLS trace: SSL_connect:SSLv3/TLS write certificate verify
>
> TLS trace: SSL_connect:SSLv3/TLS write finished
>
> ldap_sasl_interactive_bind: user selected: EXTERNAL
>
> ldap_int_sasl_bind: EXTERNAL
>
> ldap_int_sasl_open: host=FQHN
>
> SASL/EXTERNAL authentication started
>
> ldap_sasl_bind
>
> ldap_send_initial_request
>
> ldap_send_server_request
>
> ber_scanf fmt ({it) ber:
>
> ber_scanf fmt ({i) ber:
>
> ber_flush2: 26 bytes to sd 3
>
> ldap_msgfree
>
> ldap_result ld 0x56432476ac30 msgid 2
>
> wait4msg ld 0x56432476ac30 msgid 2 (infinite timeout)
>
> wait4msg continue ld 0x56432476ac30 msgid 2 all 1
>
> ** ld 0x56432476ac30 Connections:
>
> * host: FQHN  port: 389  (default)
>
> * from: IP=172.20.16.36:57868
>
>   refcnt: 2  status: Connected
>
>   last used: Wed Mar  5 15:42:03 2025
>
>
>
>
>
> ** ld 0x56432476ac30 Outstanding Requests:
>
> * msgid 2,  origid 2, status InProgress
>
>    outstanding referrals 0, parent count 0
>
>   ld 0x56432476ac30 request count 1 (abandoned 0)
>
> ** ld 0x56432476ac30 Response Queue:
>
>    Empty
>
>   ld 0x56432476ac30 response count 0
>
> ldap_chkResponseList ld 0x56432476ac30 msgid 2 all 1
>
> ldap_chkResponseList returns ld 0x56432476ac30 NULL
>
> ldap_int_select
>
> read1msg: ld 0x56432476ac30 msgid 2 all 1
>
> ber_get_next
>
> TLS trace: SSL3 alert read:fatal:unsupported certificate
>
> ber_get_next failed, errno=0.
>
> ldap_err2string
>
> ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
>
> …

Jeff

Re: Getting details for "TLS trace: SSL3 alert read:fatal:unsupported certificate"

Reply via email to