OpenSSL – Understanding ‘connected(00000005)’ and ‘verify return:1’ in s_client Command

openssl

I am trying to test icinga2 client and server connectivity with openssl command and I am using a command like following line in client

openssl s_client -CAfile /var/lib/icinga2/certs/ca.crt  -cert  /var/lib/icinga2/certs/<client>.crt -key  /var/lib/icinga2/client.key  -connect icinga_server.domain.com:5665

and I am getting an output like

CONNECTED(00000005)
depth=1 CN = Icinga CA
verify return:1
depth=0 CN = icinga_server.domain.com
verify return:1

My question is what does CONNECTED(00000005) and verify return:1 means ?

It must be CONNECTED(00000003) according to icinga2 documentation. I do not know what is the difference between CONNECTED(00000005) and CONNECTED(00000003)

Thanks

Best Answer

The number after the "CONNECTED" string is the file descriptor of the opened socket (as returned by the socket() system call), so you can safely ignore it. "verify return:1" means that the certificate is OK.

Related Solutions

Ssl – Generating SSL certificates

Create Root CA (self-signed):

Let's have a look at the options in detail:

x509 identifies that a certificate is required, rather than just a certificate request (see below).
days 30000 sets the certificate to expire in a 30000 days. You may want to extend this period. Make a note of the expiry date so that you can renew it when necessary!
sha1 specifies that SHA1 encryption should be used. rsa:2048 sets the key as 2048 bit RSA.
nodes specifies no passphrase.
keyout and -out specify where to store the certificate and key. The key should be root-readable only; the certificate can be world-readable, and must be readable by the user that Apache runs as.
subj flag sets the company name, department name, and the web site address. If you leave these out, you'll be prompted for them. The CN must be the same as the address of your web site, otherwise the certificate won't match and users will receive a warning when connecting. Make sure you don't use a challenge password.

Create it :

sudo openssl req -x509 -nodes -newkey rsa:2048 -sha1 -keyout rootkey.key -out rootca.crt -passin pass:root -days 30000 -subj "/C=DU/ST=Dubai/L=TownCenter/O=AmesCom/CN=AmesCom Int" -config openssl.cnf.my

Encrypt the key manually :

key is not encrypted because of -nodes option , so we encrypt it manually :

sudo cp rootkey.key rootkey.key.org

sudo openssl rsa -in rootkey.key.org -out rootkey.key

Test it :

for testing immediately , you may follow two ways :

openssl x509 -text -noout -in rootca.crt

or examine its contents on browser :

cp rootca.crt /var/www/html/

from browser ask for address :

http://yourserverdomain/rootca.crt

Now you can create certificate requests and sign them with this self-signed certificate

CentOS 5 – Adding Root Certificate to CentOS 5

In CentOS 5 trusted certificates are located in /etc/pki/tls/certs/ca-bundle.crt. Simply append your new trusted cert to this file.

This is answer to your question how to add new cert. But propably this will not resolve your problem. It's highly possibly that your proxy cert (CN name) will not match you service CN.

Best Answer

Related Solutions

Ssl – Generating SSL certificates

CentOS 5 – Adding Root Certificate to CentOS 5

Related Topic