|
|
Frank Matthieß [2004-10-05 14:20 CEST]:
> Vlada Macek [2004-10-05 12:12 CEST]:
[...]
> >
> > Try searching for "unsupported certificate purpose" on Google and on
> > Google Groups. This error string can be found on the OpenSSL verify man
> > page. Try to test your certificate with the command
> >
> > openssl verify -purpose <purpose>
>
> Thanks for the this hint.
>
> I check thaton my side with "openssl verify -CAfile cacerts/ianios_firewall_systeme-cacert.pem
> -purpose sslclient -verbose certs/frank\@matthiess.de-cert.pem" and the
> respanse is "certs/frank@xxxxxxxxxxxxxxxxxxxxx: OK"
>
> The other side actualy not available, because it's a dialin. But my
> check with my local copies of those certs are also ok. But this is a
> diffrent openssl version, so i test this on the remote side and give
> report that to this list.
sys00005:/etc/openvpn# openssl verify \
-CAfile cacerts/ianios_firewall_systeme-cacert.pem \
-purpose sslserver -verbose \
certs/ralf.koenig\@lrcsystem.de-cert.pem
certs/ralf.koenig@xxxxxxxxxxxxxxxxxxxxx: OK
I copy my certs vice versa to the nodes and check this with the running
openssl version. This is also ok.
Should the node, who is tls-client, have a certificate with sslclient
purpose? If i check with -purpose sslclient a get the described error
messages from openssl.
Frank.
--
Frank Matthieß
Unix : Your rifle, your bullet, your feet, your choice.
Windows: Same as Unix, but no choice.
Attachment:
signature.asc
Description: Digital signature
|