"XCOMU0780E Txpi  316: TxpiSSL peer certificate: Certificate verification failed"
search cancel

"XCOMU0780E Txpi  316: TxpiSSL peer certificate: Certificate verification failed"

book

Article ID: 133927

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Linux PC

Issue/Introduction

When configuring XCOM to use SSL on XCOM for UNIX, got the following error:

XCOMU0780E Txpi  316: TxpiSSL peer certificate: Certificate verification failed (DNS name does not match) error 5:

Environment

XCOM™ Data Transport® for UNIX/Linux PC

Cause

This is a configuration problem in the configssl.cnf:

# Mandatory, YES/NO
[VERIFY_MACHINE]
INITIATE_SIDE = YES
RECEIVE_SIDE = YES

but the actual DNS or HOSTNAME was not defined in the certificates or configssl.cnf.

Resolution

When you want to do "machine verification" with SSL as you have specified, you must generate the certificates with a valid DNS and specify that in the configssl.cnf as the HOST_NAME. 

If using the XCOM sample certificates:

  1. Remove your existing certificates
  2. Modify the cassl.conf. You would have to modify 2 sections in the file. Those sections are: 
    1. [ SSL_client_extensions ]
    2. [ SSL_server_extensions ]
  3. In those sections you would modify the "subjectAltName = email:copy,DNS:hostname.com", specifically the DNS part. You must put the valid actual DNS of both the client and then the server.

Note: You have to specify actual names.

If you don't want "machine" verification, then turn off the parameter in the configssl.cnf.