Hi,
I have a big problem about the OpenSSL usage, please help. OS:?Linux?version?3.7.10-1.1-desktop?(geeko at buildhost)?(gcc?version?4.7.2?20130108?[gcc-4_7-branch?revision?195012]?(SUSE?Linux)?)?#1?SMP?PREEMPT?Thu?Feb?28?15:06:29?UTC?2013?(82d3f21)OpenSSL version:?OpenSSL?1.1.0??25?Aug?2016
I create a OpenSSL client for iOS APNs client, the SSL initial function as below:#define?CA_CERT_PATH ? ? ? ? ?"./pem"
#define?RSA_CLIENT_CERT?????"./pem/PushChatCert.pem"
#define?RSA_CLIENT_KEY ? ? ? "./pem/PushChatKey.pem"bool?CAPNSClient::InitAPNSClient()
{
????SSL_library_init();
????SSL_load_error_strings();
????ERR_clear_error();
????OpenSSL_add_all_algorithms();
?
????m_pMeth?=?TLS_client_method();
????m_pCtx?=?SSL_CTX_new(m_pMeth);
????if(NULL?==?m_pCtx)
????{
????????ERRLOG("Could?not?get?SSL?Context");
????????return?false;
????}
????if(0?==?SSL_CTX_load_verify_locations(m_pCtx,?NULL,?CA_CERT_PATH))
????{
????????/*?Handle?failed?load?here?*/
????????ERRLOG("Failed?to?set?CA?location:%s",?ERR_error_string(?ERR_get_error(),?NULL?));
????????return?false;
????}
????if?(0?==?SSL_CTX_use_certificate_file(m_pCtx,?RSA_CLIENT_CERT,?SSL_FILETYPE_PEM))
????{
????????ERRLOG("Cannot?use?Certificate?File:%s",?ERR_error_string(?ERR_get_error(),?NULL?));
????????return?false;
????}
????SSL_CTX_set_default_passwd_cb_userdata(m_pCtx,?(void*)"XXXX");
????if?(0?==?SSL_CTX_use_PrivateKey_file(m_pCtx,?RSA_CLIENT_KEY,?SSL_FILETYPE_PEM))
????{
????????ERRLOG("Cannot?use?Private?Key:%s",?ERR_error_string(?ERR_get_error(),?NULL?));
????????return?false;
????}
????if?(0?==?SSL_CTX_check_private_key(m_pCtx))
????{
????????ERRLOG("Private?key?does?not?match?the?certificate?public?key");
????????return?false;
????}
????return?true;
}
when the programe run, the?SSL_CTX_use_certificate_file failed when load the certificate as attached! the error information is:??error:140AB18F:SSL?routines:SSL_CTX_use_certificate:ee?key?too?small
as the suggestion from rt at openssl.org last night, I use?SSL_CTX_set_security_level(m_pCtx,?0) switch the security level from 1 to 0. ?But?SSL_CTX_use_certificate_file still failed! the log chang to:?error:140BF10C:SSL?routines:ssl_set_cert:x509?lib
the weird thing is, this code and pem file work well on another server, which have the security level 1. So I guess the problem come from the ssl config. After searching, I found 2 openssl.cnf files, one on /etc/ssl/, another is on /usr/local/ssl. there only 4 different config between these 2 file:1.?default_bits, one is 2048, another is 10242.?basicConstraints, one is "critical,CA:true", another is "CA:true"3.?signer_digest, one is "sha256", another don't have this parameter4.?digests, one is "sha1,?sha256,?sha384,?sha512", another is "md5,?sha1"
I already debug this issue for whole day, but still don't have any progress. Please help me, at least guide me how to solve it.?
Thanks a lot!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/21b64519/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PushChatCert.pem
Type: application/octet-stream
Size: 2139 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/21b64519/attachment-0001.obj>
