Re: SSL alert number 48

wizard2010@xxxxxxxxx · Tue, 28 Nov 2017 10:03:12 +0000

Hi there.
I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.

int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Kind regards.

On Tue, Nov 28, 2017 at 9:11 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:

    Hi,

      On 27/11/17 17:07, wizard2010@xxxxxxxxx wrote:

      Hi there.

        I'm getting this error on a TLS server&client that I'm
          implementing and I can't really understand what I'm doing
          wrong.

          139853560931992:error:14094418:SSL
            routines:ssl3_read_bytes:tlsv1 alert unknown
            ca:s3_pkt.c:1487:SSL alert number 48

            139853560931992:error:140790E5:SSL routines:ssl23_write:ssl
            handshake failure:s23_lib.c:177:

        This is the code of my server: https://pastebin.com/Fyuki8v0
          and I generate the certificates this way: https://pastebin.com/CDRKU2Gc

        And I'm testing the server this way: openssl s_client -host
          127.0.0.1 -port 4444 -cert client.crt -key client.key -CAfile
          ca.crt

        If I run a server this way openssl s_server -key server.key
          -cert server.crt -CAfile ca.crt -accept 4444

        I'm able to communicate with the same certificates and on
          my server code I always get:
        Handshake
          Error 1

          SSL_ERROR_SSL...

        This is the result of openssl s_client command: https://pastebin.com/AWid1mxi

    FWIW: I've downloaded and compiled your code, generated certs using
    your script (which generates a client and server cert with the same
    serial number, BTW) and ran the code: I can connect just fine using
    either openssl 1.0.1e or 1.1.0e

    My bet is that when you run your code you are not loading the right
    ca.crt file ; another way to debug is , is to add a x509 verify
    callback which prints out each cert as it is passed for
    verification.

    HTH,

    JJK

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users