"error 18:self signed certificate" is the expected result if you are validating a self-signed cert. In certificate verification, the code needs to check for X509_V_OK, X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. X509_V_OK is a normal cert verification and the connection can proceed. X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY indicates that an otherwise valid cert has been processed, but the issuer is unknown. X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT indicates that a self-signed cert was read. Any other return value is a fatal error (signature failure etc). Matthew On 1 July 2016 at 05:34, Carl Heyendal <cheyendal at fortinet.com> wrote: > I am working with the example apps in the "Networking Security with > OpenSSL" book and up until now have been able to get client/server examples > 1,2,3 to work. But now I'm trying to connect to an in-house tool but I'm > getting the error "error 18:self signed certificate". Despite this error > when I run my app (essentially client3), when I use s_client with the very > same credentials...it works. > > I suspect that it has something to do with the ssl/tls api combination > that I use in my 'client3' app. > > Here's the command and output for s_client that connects to the in-house > tool which works: > > > openssl s_client -connect 192.168.1.99:16001 -CAfile > ../_security/SipInspector/certificate.pem -key ../_security/client.pem > Enter pass phrase for ../_security/client.pem: > CONNECTED(00000003) > depth=0 C = CA, ST = Ontario, L = Ottawa, O = SIP Inspector Ltd, OU > = Development, CN = 192.168.1.99 > verify return:1 > --- > Certificate chain > 0 s:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector > Ltd/OU=Development/CN=192.168.1.99 > i:/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector > Ltd/OU=Development/CN=192.168.1.99 > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIIFxTCCA62gAwIBAgIJALKQ3J5SEyjPMA0GCSqGSIb3DQEBCwUAMHkxCzAJBgNV > BAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMQ8wDQYDVQQHDAZPdHRhd2ExGjAYBgNV > (snip) > pt/q5/gKqRFbjyL0LDNz49vaSUYvbu3mgF2480Or4X+GPwemwdxJaF1pQw4C1WaF > RyfVjDrLNhTvv+zKCbEPyrjXCweNVRVcp8lZ8R0HmXwfgevlCNz/GQo= > -----END CERTIFICATE----- > subject=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector > Ltd/OU=Development/CN=192.168.1.99 > issuer=/C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector > Ltd/OU=Development/CN=192.168.1.99 > --- > No client certificate CA names sent > --- > SSL handshake has read 2309 bytes and written 509 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-DES-CBC3-SHA > Session-ID: > 5755C781D91CF3177DF624EA3599EE430DAB4790F325FAD9378FEAE7731C4497 > Session-ID-ctx: > Master-Key: > D149008E43E29D658D29418C9F770B3D6018B1D7CA2F493027B0AC7C3BA8E53B572B68C371153568B8988A1E5F351839 > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1465239425 > Timeout : 300 (sec) > Verify return code: 0 (ok) > --- > > > Here's the command and output when I run my app that tries to connect to > the same in-house tool which fails: > > > ./client3 192.168.1.99 > Enter PEM pass phrase: > connecting to 192.168.1.99:16001 > -Error with certificate at depth: 0 > issuer = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector > Ltd/OU=Development /CN=192.168.1.99 > subject = /C=CA/ST=Ontario/L=Ottawa/O=SIP Inspector > Ltd/OU=Development/CN=192.168.1.99 > err 18:self signed certificate > ** client3.c:94 Error connecting SSL object > 139788992993088:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:s3_clnt.c:1180: > > > > Here are the api's I call in the my app that utilize the same credentials > used by the s_client command: > > SSL_CTX_new(SSLv23_method()); > SSL_CTX_load_verify_locations(ctx, > "../_security/SipInspector/certificate.pem", NULL) > SSL_CTX_use_PrivateKey_file(ctx, "../_security/client.pem", > SSL_FILETYPE_PEM) > SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback); > SSL_CTX_set_verify_depth(ctx, 4); > SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); > > And also I used the openssl verify command to double check the certificate > against itself (not sure if this really does anything). > > Any help would be appreciated. > > > > Carl Heyendal | Software Developer > 1826 Robertson Road | Ottawa, ON K2H 5Z6 | CANADA > Office: +1 613-725-2980 x149 > > > > > > *** Please note that this message and any attachments may contain > confidential and proprietary material and information and are intended only > for the use of the intended recipient(s). If you are not the intended > recipient, you are hereby notified that any review, use, disclosure, > dissemination, distribution or copying of this message and any attachments > is strictly prohibited. If you have received this email in error, please > immediately notify the sender and destroy this e-mail and any attachments > and all copies, whether electronic or printed. Please also note that any > views, opinions, conclusions or commitments expressed in this message are > those of the individual sender and do not necessarily reflect the views of > Fortinet, Inc., its affiliates, and emails are not binding on Fortinet and > only a writing manually signed by Fortinet's General Counsel can be a > binding commitment of Fortinet to Fortinet's customers or partners. Thank > you. *** > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160701/f24f405f/attachment.html>
