self-signed certificate won't work in my app but works with s_client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"error 18:self signed certificate" is the expected result if you are
validating a self-signed cert.

In certificate verification, the code needs to check for X509_V_OK,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
and  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

X509_V_OK is a normal cert verification and the connection can
proceed.  X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
indicates that an otherwise valid cert has been processed, but the issuer
is unknown.  X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT indicates that a
self-signed cert was read.  Any other return value is a fatal error
(signature failure etc).

Matthew


On 1 July 2016 at 05:34, Carl Heyendal <cheyendal at fortinet.com> wrote:

> I am working with the example apps in the "Networking Security with
> OpenSSL" book and up until now have been able to get client/server examples
> 1,2,3 to work. But now I'm trying to connect to an in-house tool but I'm
> getting the error "error 18:self signed certificate". Despite this error
> when I run my app (essentially client3), when I use s_client with the very
> same credentials...it works.
>
> I suspect that it has something to do with the ssl/tls api combination
> that I use in my 'client3' app.
>
> Here's the command and output for s_client that connects to the in-house
> tool which works:
>
>     > openssl s_client -connect 192.168.1.99:16001 -CAfile
> ../_security/SipInspector/certificate.pem -key ../_security/client.pem
>       Enter pass phrase for ../_security/client.pem:
>       CONNECTED(00000003)
>       depth=0 C = CA, ST = Ontario, L = Ottawa, O = SIP Inspector Ltd, OU
>  =     Development, CN = 192.168.1.99
>       verify return:1
>       ---
>       Certificate chain
>        0 s:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
> Ltd/OU=Development/CN=192.168.1.99
>          i:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
> Ltd/OU=Development/CN=192.168.1.99
>       ---
>       Server certificate
>       -----BEGIN CERTIFICATE-----
>       MIIFxTCCA62gAwIBAgIJALKQ3J5SEyjPMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV
>       BAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExGjAYBgNV
>         (snip)
>       pt/q5/gKqRFbjyL0LDNz49vaSUYvbu3mgF2480Or4X+GPwemwdxJaF1pQw4C1WaF
>       RyfVjDrLNhTvv+zKCbEPyrjXCweNVRVcp8lZ8R0HmXwfgevlCNz/GQo=
>       -----END CERTIFICATE-----
>       subject=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
> Ltd/OU=Development/CN=192.168.1.99
>       issuer=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
> Ltd/OU=Development/CN=192.168.1.99
>       ---
>       No client certificate CA names sent
>       ---
>       SSL handshake has read 2309 bytes and written 509 bytes
>       ---
>       New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA
>       Server public key is 4096 bit
>       Secure Renegotiation IS supported
>       Compression: NONE
>       Expansion: NONE
>       SSL-Session:
>           Protocol  : TLSv1.2
>           Cipher    : ECDHE-RSA-DES-CBC3-SHA
>           Session-ID:
>  5755C781D91CF3177DF624EA3599EE430DAB4790F325FAD9378FEAE7731C4497
>           Session-ID-ctx:
>           Master-Key:
> D149008E43E29D658D29418C9F770B3D6018B1D7CA2F493027B0AC7C3BA8E53B572B68C371153568B8988A1E5F351839
>           Key-Arg   : None
>           PSK identity: None
>       PSK identity hint: None
>           SRP username: None
>           Start Time: 1465239425
>           Timeout   : 300 (sec)
>           Verify return code: 0 (ok)
>        ---
>
>
> Here's the command and output when I run my app that tries to connect to
> the same in-house tool which fails:
>
>     > ./client3 192.168.1.99
>     Enter PEM pass phrase:
>     connecting to 192.168.1.99:16001
>      -Error with certificate at depth: 0
>        issuer   = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
> Ltd/OU=Development   /CN=192.168.1.99
>        subject  = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector
> Ltd/OU=Development/CN=192.168.1.99
>        err 18:self signed certificate
>      ** client3.c:94 Error connecting SSL object
>     139788992993088:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:1180:
>     >
>
> Here are the api's I call in the my app that utilize the same credentials
> used by the s_client command:
>
>  SSL_CTX_new(SSLv23_method());
>  SSL_CTX_load_verify_locations(ctx,
> "../_security/SipInspector/certificate.pem", NULL)
>  SSL_CTX_use_PrivateKey_file(ctx, "../_security/client.pem",
> SSL_FILETYPE_PEM)
>  SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
>  SSL_CTX_set_verify_depth(ctx, 4);
>  SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2);
>
> And also I used the openssl verify command to double check the certificate
> against itself (not sure if this really does anything).
>
> Any help would be appreciated.
>
>
>
> Carl Heyendal | Software Developer
> 1826 Robertson Road | Ottawa, ON K2H 5Z6 | CANADA
> Office: +1 613-725-2980 x149
>
>
>
>
>
> ***  Please note that this message and any attachments may contain
> confidential and proprietary material and information and are intended only
> for the use of the intended recipient(s). If you are not the intended
> recipient, you are hereby notified that any review, use, disclosure,
> dissemination, distribution or copying of this message and any attachments
> is strictly prohibited. If you have received this email in error, please
> immediately notify the sender and destroy this e-mail and any attachments
> and all copies, whether electronic or printed. Please also note that any
> views, opinions, conclusions or commitments expressed in this message are
> those of the individual sender and do not necessarily reflect the views of
> Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and
> only a writing manually signed by Fortinet's General Counsel can be a
> binding commitment of Fortinet to Fortinet's customers or partners. Thank
> you. ***
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160701/f24f405f/attachment.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux