"Peer has no certificate" entry in the EMS log file.
Article ID: KB0085223
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Resolution:
This message is informative. You will noticed this entry when ssl_require_client_cert=disabled and the client did not provide a certificate, or ssl_server_trusted was not set correctly in the EMS main configuration file. It is optional for the EMS server to authenticate its client's identity.
ssl_require_client_cert valid values:
ssl_require_client_cert = enable | disable
===========================================
If this parameter is set to enable, the server only accepts SSL connections from clients that have digital certificates. Connections from clients without certificates are refused.
If this parameter is set to disable, then connections are accepted from clients that do not have a digital certificate.
Whether this parameter is set to enable or disable, clients that do have digital certificates are always authenticated against the certificates supplied to the ssl_server_trusted parameter.
===========================================
The following are EMS server log file sample entries.
1). Client did not provide the certificate, and ssl_require_client_cert = disabled . The client connected to the EMS server:
2014-06-11 11:29:04.511 Peer has no certificate
2014-06-11 11:29:04.511 SSL accepted cipher=RC4-SHA
2014-06-11 11:29:04.516 [anonymous@syao-dt]: Connected, connection id=6, type: queue, UTC offset=1
2). Client provided the correct certificate, no matter ssl_require_client_cert = disabled or =enabled . The client connected to the EMS server:
2014-06-11 11:30:33.697 Peer certificate:
2014-06-11 11:30:33.697 Certificate=[/C=US/ST=California/L=us-english/O=Test Company/OU=client Unit/CN=client/emailAddre
ss=client@testcompany.com]
Issuer=[/C=US/ST=California/L=us-english/O=Test Company/OU=client_root Unit/CN=client_root/emailAddress=client_root@test
company.com]
2014-06-11 11:30:33.698 Peer certificate chain:
2014-06-11 11:30:33.698 Certificate=[/C=US/ST=California/L=us-english/O=Test Company/OU=client_root Unit/CN=client_root/
emailAddress=client_root@testcompany.com]
Issuer=[/C=US/ST=California/L=us-english/O=Test Company/OU=client_root Unit/CN=client_root/emailAddress=client_root@test
company.com]
2014-06-11 11:30:33.709 SSL accepted cipher=RC4-SHA
2014-06-11 11:30:33.710 [anonymous@syao-dt]: Connected, connection id=7, type: queue, UTC offset=1
3). Client did not provide the certificate, and ssl_require_client_cert = enabled . The client can not connect to the EMS server, and the EMS server logs 362 [OpenSSL Error]
2014-06-11 11:37:01.361 SSL handshake failed: ret=-1, reason=peer did not return a certificate
2014-06-11 11:37:01.362 [OpenSSL Error]: file=ossl.c, line=1622
2014-06-11 11:37:01.362 2:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:.\ss
l\s3_srvr.c:2586:
4). ssl_server_trusted is not set, no matter ssl_require_client_cert = disabled or =enabled .
2014-06-11 11:41:53.567 SSL verify error 19: self signed certificate in certificate chain, cert=/C=US/ST=California/L=us
-english/O=Test Company/OU=client_root Unit/CN=client_root/emailAddress=client_root@testcompany.com
2014-06-11 11:41:53.568 Verify error: self signed certificate in certificate chain
2014-06-11 11:41:53.568 [OpenSSL Error]: file=ossl.c, line=1622
2014-06-11 11:41:53.568 2:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:.\ssl\s3_srvr.
c:2597:
5). ssl_server_trusted is not set to the correct root CA, ssl_require_client_cert = enabled .
2014-06-11 11:43:29.189 SSL handshake failed: ret=-1, reason=peer did not return a certificate
2014-06-11 11:43:29.190 [OpenSSL Error]: file=ossl.c, line=1622
2014-06-11 11:43:29.190 2:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:.\ss
l\s3_srvr.c:2586:
6). ssl_server_trusted is not set to the correct root CA, ssl_require_client_cert = disabled .
2014-06-11 11:51:29.496 Peer has no certificate
2014-06-11 11:51:29.496 SSL accepted cipher=RC4-SHA
2014-06-11 11:51:29.501 [anonymous@syao-dt]: Connected, connection id=3, type: queue
ssl_require_client_cert = enable | disable
===========================================
If this parameter is set to enable, the server only accepts SSL connections from clients that have digital certificates. Connections from clients without certificates are refused.
If this parameter is set to disable, then connections are accepted from clients that do not have a digital certificate.
Whether this parameter is set to enable or disable, clients that do have digital certificates are always authenticated against the certificates supplied to the ssl_server_trusted parameter.
===========================================
The following are EMS server log file sample entries.
1). Client did not provide the certificate, and ssl_require_client_cert = disabled . The client connected to the EMS server:
2014-06-11 11:29:04.511 Peer has no certificate
2014-06-11 11:29:04.511 SSL accepted cipher=RC4-SHA
2014-06-11 11:29:04.516 [anonymous@syao-dt]: Connected, connection id=6, type: queue, UTC offset=1
2). Client provided the correct certificate, no matter ssl_require_client_cert = disabled or =enabled . The client connected to the EMS server:
2014-06-11 11:30:33.697 Peer certificate:
2014-06-11 11:30:33.697 Certificate=[/C=US/ST=California/L=us-english/O=Test Company/OU=client Unit/CN=client/emailAddre
ss=client@testcompany.com]
Issuer=[/C=US/ST=California/L=us-english/O=Test Company/OU=client_root Unit/CN=client_root/emailAddress=client_root@test
company.com]
2014-06-11 11:30:33.698 Peer certificate chain:
2014-06-11 11:30:33.698 Certificate=[/C=US/ST=California/L=us-english/O=Test Company/OU=client_root Unit/CN=client_root/
emailAddress=client_root@testcompany.com]
Issuer=[/C=US/ST=California/L=us-english/O=Test Company/OU=client_root Unit/CN=client_root/emailAddress=client_root@test
company.com]
2014-06-11 11:30:33.709 SSL accepted cipher=RC4-SHA
2014-06-11 11:30:33.710 [anonymous@syao-dt]: Connected, connection id=7, type: queue, UTC offset=1
3). Client did not provide the certificate, and ssl_require_client_cert = enabled . The client can not connect to the EMS server, and the EMS server logs 362 [OpenSSL Error]
2014-06-11 11:37:01.361 SSL handshake failed: ret=-1, reason=peer did not return a certificate
2014-06-11 11:37:01.362 [OpenSSL Error]: file=ossl.c, line=1622
2014-06-11 11:37:01.362 2:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:.\ss
l\s3_srvr.c:2586:
4). ssl_server_trusted is not set, no matter ssl_require_client_cert = disabled or =enabled .
2014-06-11 11:41:53.567 SSL verify error 19: self signed certificate in certificate chain, cert=/C=US/ST=California/L=us
-english/O=Test Company/OU=client_root Unit/CN=client_root/emailAddress=client_root@testcompany.com
2014-06-11 11:41:53.568 Verify error: self signed certificate in certificate chain
2014-06-11 11:41:53.568 [OpenSSL Error]: file=ossl.c, line=1622
2014-06-11 11:41:53.568 2:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:.\ssl\s3_srvr.
c:2597:
5). ssl_server_trusted is not set to the correct root CA, ssl_require_client_cert = enabled .
2014-06-11 11:43:29.189 SSL handshake failed: ret=-1, reason=peer did not return a certificate
2014-06-11 11:43:29.190 [OpenSSL Error]: file=ossl.c, line=1622
2014-06-11 11:43:29.190 2:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:.\ss
l\s3_srvr.c:2586:
6). ssl_server_trusted is not set to the correct root CA, ssl_require_client_cert = disabled .
2014-06-11 11:51:29.496 Peer has no certificate
2014-06-11 11:51:29.496 SSL accepted cipher=RC4-SHA
2014-06-11 11:51:29.501 [anonymous@syao-dt]: Connected, connection id=3, type: queue
Issue/Introduction
"Peer has no certificate" entry in the EMS log file.
Feedback
Yes
No
Powered by
