Error during openssl s_client connection, SSL alert number 48
I am attempting to connect to a third party via CURL/PHP mainly, but since it doesn't work, am resorting to more verbose tools to diagnose the problem.
If I try the following, on Ubuntu 14.04 LTS:
openssl s_client -showcerts -connect secure.thirdpartyhost.com:443 -cert production_client.pem -key production_key.pem -CApath /etc/ssl/certs
It fails with this error:
CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = CA, ST = New York, L = New York, O = ThirdParty, CN = *.thirdpartyhost.com
verify return:1
139647498331808:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1262:SSL alert number 48
139647498331808:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
Is that their server signaling the error? That the error with the CA is occurring during their verification?
Thanks for your help. A mere developer, I appreciate the help of those wiser!
tlsv1 alert unknown ca
The server cannot verify the client certificate you've sent because it does not find any path to the CA's trusted by the server.
These codes - the "48" - are defined in the TLS spec. E.g.section 7.2 ("Alert Protocol") in RFC 5246. 48 is "unknown_ca" which as discussed previously means it does not recognize the signer of your client certificate.