Hi Matt,
thanks for your reply. please kindly find the attached to get the certificate.
actually after i set the security level to 0, some times the result is to get the error code you read before, but some times the programe will crash directly. I checked the stack information as below:
[2016-09-13?11:52:03][crash?signal?number:11]
0?./MemoSrv()?[0x808031e]
1?linux-gate.so.1(__kernel_sigreturn+0)?[0xb7734400]
2?/lib/libpthread.so.0(pthread_rwlock_wrlock+0xf)?[0xb74f45ff]
3?./MemoSrv(CRYPTO_THREAD_write_lock+0x1b)?[0x81783cb]
4?./MemoSrv(X509_check_purpose+0x66)?[0x8237756]
5?./MemoSrv(X509_get_extension_flags+0x2c)?[0x823794c]
6?/usr/local/lib/libssl.so.1.1(+0x4dd65)?[0xb76a2d65]
7?/usr/local/lib/libssl.so.1.1(SSL_CTX_use_certificate+0x41)?[0xb76853c1]
8?/usr/local/lib/libssl.so.1.1(SSL_CTX_use_certificate_file+0xed)?[0xb768553d]
9?./MemoSrv()?[0x80bc93b]
10?./MemoSrv()?[0x80bd32a]
11?./MemoSrv()?[0x8088dc2]
12?./MemoSrv()?[0x80805e8]
13?/lib/libc.so.6(__libc_start_main+0xf3)?[0xb738a6e3]
14?./MemoSrv()?[0x808010d]
If you need additional information or operation, please let me know.thanks!------------------------------------------------------------------????Matt Caswell <matt at openssl.org>?????2016?9?13?(???) 22:07????openssl-users <openssl-users at openssl.org>????Re: [openssl-users] [help]SSL_CTX_use_certificate_file failed!
Comments?inserted...
On?13/09/16?14:17,?zy_chongqing?wrote:
>?Hi,
>?
>?I?have?a?big?problem?about?the?OpenSSL?usage,?please?help.
>?OS:?Linux?version?3.7.10-1.1-desktop?(geeko at buildhost)?(gcc?version?4.7.2?20130108?[gcc-4_7-branch?revision?195012]?(SUSE?Linux)?)?#1?SMP?PREEMPT?Thu?Feb?28?15:06:29?UTC?2013?(82d3f21)
>?OpenSSL?version:?OpenSSL?1.1.0??25?Aug?2016
>?
>?I?create?a?OpenSSL?client?for?iOS?APNs?client,?the?SSL?initial?function
>?as?below:
>?#define?CA_CERT_PATH??????????"./pem"
>?#define?RSA_CLIENT_CERT?????"./pem/PushChatCert.pem"
>?#define?RSA_CLIENT_KEY???????"./pem/PushChatKey.pem"
>?bool?CAPNSClient::InitAPNSClient()
>?{
>?????SSL_library_init();
>?????SSL_load_error_strings();
>?????ERR_clear_error();
>?????OpenSSL_add_all_algorithms();
None?of?the?above?4?function?calls?are?required?in?OpenSSL?1.1.0.?They
can?be?removed.?That's?not?your?problem?though...
>??
>?????m_pMeth?=?TLS_client_method();
>?
>?????m_pCtx?=?SSL_CTX_new(m_pMeth);
>?????if(NULL?==?m_pCtx)
>?????{
>?????????ERRLOG("Could?not?get?SSL?Context");
>?????????return?false;
>?????}
>?
>?????if(0?==?SSL_CTX_load_verify_locations(m_pCtx,?NULL,?CA_CERT_PATH))
>?????{
>?????????/*?Handle?failed?load?here?*/
>?????????ERRLOG("Failed?to?set?CA?location:%s",?ERR_error_string(?ERR_get_error(),?NULL?));
>?????????return?false;
>?????}
>?
>?????if?(0?==?SSL_CTX_use_certificate_file(m_pCtx,?RSA_CLIENT_CERT,?SSL_FILETYPE_PEM))
>?????{
>?????????ERRLOG("Cannot?use?Certificate?File:%s",?ERR_error_string(?ERR_get_error(),?NULL?));
>?????????return?false;
>?????}
>?
>?????SSL_CTX_set_default_passwd_cb_userdata(m_pCtx,?(void*)"XXXX");
>?
>?????if?(0?==?SSL_CTX_use_PrivateKey_file(m_pCtx,?RSA_CLIENT_KEY,?SSL_FILETYPE_PEM))
>?????{
>?????????ERRLOG("Cannot?use?Private?Key:%s",?ERR_error_string(?ERR_get_error(),?NULL?));
>?????????return?false;
>?????}
>?
>?????if?(0?==?SSL_CTX_check_private_key(m_pCtx))
>?????{
>?????????ERRLOG("Private?key?does?not?match?the?certificate?public?key");
>?????????return?false;
>?????}
>?
>?????return?true;
>?}
>?
>?when?the?programe?run,?the?SSL_CTX_use_certificate_file?failed?when?load
>?the?certificate?as?attached!?the?error?information
>?is:??error:140AB18F:SSL?routines:SSL_CTX_use_certificate:ee?key?too?small
>?
>?as?the?suggestion?from?rt at openssl.org?last?night,?I
>?use?SSL_CTX_set_security_level(m_pCtx,?0)?switch?the?security?level?from
>?1?to?0.??But?SSL_CTX_use_certificate_file?still?failed!?the?log?chang
>?to:?error:140BF10C:SSL?routines:ssl_set_cert:x509?lib
As?far?as?I?can?determine?from?the?errors?you?are?seeing,
SSL_CTX_use_certificate_file()?has?successfully?read?the?certificate
file?and?returned?a?non?NULL?X509?object?(otherwise?you?would?have?seen
a?different?error).
Once?SSL_CTX_use_certificate_file()?has?got?an?X509?object?it?then?calls
SSL_CTX_use_certificate().
This?calls?an?internal?function?ssl_security_cert(),?which?in?turn?calls
ssl_security_cert_key(),?which?calls?X509_get0_pubkey()?on?the?supplied
X509?object.?*If?this?returns?NULL*?then?an?internal?variable?secbits
which?represents?the?number?of?security?bits?in?the?public?key?is?set?to
-1.?Subsequently?various?calls?take?place?and?if?the?number?of?security
bits?is?too?small?(which?presumably?-1?is)?then?you?get?the?"ee?key?too
small"?error.
By?setting?the?security?level?to?0,?the?above?is?avoided?and?processing
gets?further.?SSL_CTX_use_certificate()?next?calls?an?internal?function
ssl_set_cert().
The?first?thing?ssl_set_cert()?does?is?call?X509_get0_pubkey()?again.?If
this?return?NULL?then?you?get?the?"x509?lib"?error.
Therefore,?I?believe?there?is?a?problem?with?the?X509_get0_pubkey()
call,?such?that?it?is?always?returning?NULL?for?your?particular
certificate.?The?question?is?why??Are?you?able?to?share?the?certificate
file???Are?there?any?other?errors?on?the?error?queue?besides?these?ones?
There?are?a?few?different?things?that?could?cause?this?and?a?number?of
them?would?add?additional?errors?to?the?error?queue.
Matt
--?
openssl-users?mailing?list
To?unsubscribe:?https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/be3e9f02/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PushChatCert.pem
Type: application/octet-stream
Size: 2139 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160913/be3e9f02/attachment-0001.obj>
