libcurl, ExplicitKeyTrustEngine, PKIX could provide additional debug information
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
debug levels for libcurl, TrustEngine.ExplicitKey and, optionally, TrustEngine.PKIX, could provide additional information for troubleshooting certificate issues, including details on incoming web server certificate for SOAP cert validation, etc... currently, a failure in the default TrustEngine configuration is limited to logging below. Details of the certificate are only logged by libcurl logging if certificate passes the X.509 verify callback.
2011-12-01 10:47:59 DEBUG XMLTooling.SOAPTransport.CURL [9]: sending SOAP message to https://<fqdn>:9443/idp/profile/SAML2/SOAP/ArtifactResolution 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: About to connect() to <fqdn> port 9443 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: Trying <ipaddress>... 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: connected 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: Connected to wls1032a.istc.agr.gc.ca (ipaddress) port 9443 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: SSLv3, TLS handshake, Client hello (1): 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: SSLv3, TLS handshake, Server hello (2): 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: SSLv3, TLS handshake, CERT (11): 2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: ^K 2011-12-01 10:47:59 DEBUG XMLTooling.SOAPTransport.CURL [9]: invoking custom X.509 verify callback 2011-12-01 10:47:59 DEBUG XMLTooling.TrustEngine.ExplicitKey [9]: attempting to match credentials from peer with end-entity certificate 2011-12-01 10:47:59 DEBUG XMLTooling.TrustEngine.ExplicitKey [9]: no keys within this peer's key information matched the given end-entity certificate 2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: checking that the certificate name is acceptable 2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: certificate subject: CN=xxxx,OU=yyyy,O=zzzz,C=country 2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: unable to match DN, trying TLS subjectAltName match 2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: unable to match subjectAltName, trying TLS CN match 2011-12-01 12:26:42 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name was not acceptable 2011-12-01 12:26:42 ERROR XMLTooling.SOAPTransport.CURL [2]: supplied TrustEngine failed to validate SSL/TLS server certificate 2011-12-01 12:26:42 DEBUG XMLTooling.libcurl [2]: SSLv3, TLS alert, Server hello (2):
2011-12-01 12:26:42 DEBUG XMLTooling.libcurl [2]: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
debug levels for libcurl, TrustEngine.ExplicitKey and, optionally, TrustEngine.PKIX, could provide additional information for troubleshooting certificate issues, including details on incoming web server certificate for SOAP cert validation, etc... currently, a failure in the default TrustEngine configuration is limited to logging below. Details of the certificate are only logged by libcurl logging if certificate passes the X.509 verify callback.
2011-12-01 10:47:59 DEBUG XMLTooling.SOAPTransport.CURL [9]: sending SOAP message to https://<fqdn>:9443/idp/profile/SAML2/SOAP/ArtifactResolution
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: About to connect() to <fqdn> port 9443
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: Trying <ipaddress>...
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: connected
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: Connected to wls1032a.istc.agr.gc.ca (ipaddress) port 9443
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: SSLv3, TLS handshake, Client hello (1):
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: SSLv3, TLS handshake, Server hello (2):
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: SSLv3, TLS handshake, CERT (11):
2011-12-01 10:47:59 DEBUG XMLTooling.libcurl [9]: ^K
2011-12-01 10:47:59 DEBUG XMLTooling.SOAPTransport.CURL [9]: invoking custom X.509 verify callback
2011-12-01 10:47:59 DEBUG XMLTooling.TrustEngine.ExplicitKey [9]: attempting to match credentials from peer with end-entity certificate
2011-12-01 10:47:59 DEBUG XMLTooling.TrustEngine.ExplicitKey [9]: no keys within this peer's key information matched the given end-entity certificate
2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: checking that the certificate name is acceptable
2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: certificate subject: CN=xxxx,OU=yyyy,O=zzzz,C=country
2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: unable to match DN, trying TLS subjectAltName match
2011-12-01 12:26:42 DEBUG XMLTooling.TrustEngine.PKIX [2]: unable to match subjectAltName, trying TLS CN match
2011-12-01 12:26:42 ERROR XMLTooling.TrustEngine.PKIX [2]: certificate name was not acceptable
2011-12-01 12:26:42 ERROR XMLTooling.SOAPTransport.CURL [2]: supplied TrustEngine failed to validate SSL/TLS server certificate
2011-12-01 12:26:42 DEBUG XMLTooling.libcurl [2]: SSLv3, TLS alert, Server hello (2):
2011-12-01 12:26:42 DEBUG XMLTooling.libcurl [2]: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed