Re: SSL alert number 48

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

On 29/11/17 14:37, wizard2010@xxxxxxxxx wrote:
Hi JJK,

I test you function and I've got this result:
ok = 0
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
ok = 1
cert DN: /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd

Why I see this 2 time?
When I create the certificates I didn't fill with any special information, just type enter in every question that is made. Did you think this could cause this issue?


what you should have seen is the certificate stack, starting with the CA, and then the client cert, e.g.

Connection accept...
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=Cookbook 2.4 CA/emailAddress=openvpn@xxxxxxxxxxx
ok = 1
cert DN: /C=US/O=Cookbook 2.4/CN=client1


so I suspect that your ca.crt on the server side is not specified correctly. 
You may also send me your ca.crt, server.{crt,key} and client.{crt,key} files privately, and I will run the same test using your set of certificates.

HTH,

JJK



On Wed, Nov 29, 2017 at 8:56 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
Hi,

On 28/11/17 11:03, wizard2010@xxxxxxxxx wrote:
Hi there.

I guess my problem is really related to verify callback on SSL_CTX_set_verify function.
I just add to my code a dummy callback returning 1 and everything works properly.


int verify_callback (int ok, X509_STORE_CTX *ctx);
int verify_callback (int ok, X509_STORE_CTX *ctx)
{
    printf("Verification callback OK!\n");
    return 1;
}
...
SSL_CTX_set_verify(ssl_server_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, dtls_verify_callback);
...

The problem is that error don't tell much information about what's really going on or what's really missing.
Thanks for your help.

Now you've effectively disabled all security :)

Try adding this to the verify_callback


static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
    X509           *cert = NULL;
    char           *cert_DN = NULL;

    printf("ok = %d\n", ok);
    cert    = X509_STORE_CTX_get_current_cert(ctx);
    cert_DN = X509_NAME_oneline( X509_get_subject_name( cert ), NULL, 0 );
    printf( "cert DN: %s\n", cert_DN);

}   


that way, you will know whether your server is processing the right certificate chain.

HTH,

JJK



-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux